Computer Forensics and Digital Lecture outline

Investigation
! Introduction to Computer Forensics
! Digital investigation
! Conducting a Digital Crime Scene Investigation
Computer Security
! Legal aspects and considerations
EDA263, lecture 14 ! Data preservation, acquisition and analysis
Ulf Larson – Live incident response
– Data duplication
– Forensic analysis techniques
! Applicability of computer forensics

Defining the word forensic

! American Heritage Dictionary definition of forensic:

– “Relating to the use of science or technology in the
investigation and establishment of facts or evidence in a
court of law.”
Introduction to Computer Forensics
! Many methods use science and technology to
investigate and establish facts.
! Forensics are used when the results of the method
should be valid in a court of law

Defining Computer forensics

! Corresponding definition for computer forensics would be:

– “Relating to the use of computer science or technology in the
investigation and establishment of facts or evidence regarding
crimes committed with computers, or against computers, in a court
of law.”

– or… ”The art and science of applying computer science to aid the legal
The Digital Investigation
process”
– or… ”The application of computer investigation and analysis techniques to
determine potential legal evidence”

Thus, when computers are involved in the process

of establishing facts that should be valid in a court of law,
we denote this process as “computer forensics”

1
The digital investigation The digital investigation

! However, not all investigations goes to court.. ! A digital investigation takes place when a
– Corporate investigations digiatal incident is reported and evidence
– Private investigations
needs to be found
! ..and therefore, all investigations are not
“computer forensics” ! Analogy to physical investigation:
– A physical investigation considers fibers,
– A better name for the investigation process is footprints, blood stains and fingerprints.
digital investigation, or digital crime scene
– A digital investigation considers text files, e-mail
investigation messages, log entries and alerts.

The digital investigation: Targets The digital investigation: purpose

The digital investigation regards: ! Its purpose is to provide information about:

– Crimes committed against computers: – What happened
! Intrusions and break-ins and insider jobs by networked – When did events that led to the crime occur
attackers
– In what order did the events occur
– Crimes committed with computers:
– What was the cause of the events
! Communication between criminals engaged in murder,
kidnapping, assault, extortion, drug dealing, espionage, – Who caused the events to occur
terrorism, child pornography. – What enabled the events to take place
– What was affected, how much was it affected

The digital event The digital event

A digital event is any activity or transition ! A digital event can be the cause of a data
– Interrupts, command invocations, process termination,
network data transmission/reception object, or the effect of a data object
! A digital event changes the state of one or more – A process can create a file
digital objects
! A digital object is a discrete collection of digital data – A file can be created by a process
– A file, a hard disk sector, a network packet, a process
! The state of a digital objects is the collection of X X’ X X’
object characteristics
Y E Y E1 W E2 W’
– File name, file content, MAC times
– A running process’ PCB, memory content Z Z
Three cause objects, one effect object Event chain with two events

2
Digital evidence and incidents

! Some systems have policies that forbid certain

digital events
! If one or more of the forbidden digital events occur
anyway, the policy is violated, and an incident has Conducting a Digital Crime Scene
occurred. Investigation
! Digital evidence contains reliable information that
supports or refutes a hypothesis about an incident
! A data object is evidence of the forbidden event if
the event changed the state of the object

Digital crime scene investigation Investigation process: Preparations

! Before entering the crime scene:

When an incident has occurred and we need to determine the – Be sure to bring the necessary tools
whats, whens and whos of the incident. ! Digital cameras, screwdrivers, flashlights, IDE-cables, SCSI
cables.
! Prepared forensic workstation, i.e., computer with a set of
reliable tools.
Preparation phase Investigation phases – And the necessary forms for the investigation
! Evidence worksheets, system worksheets, evidence labels,
System Evidence Event chain of custody forms…
Preparation ! To be able to document your every step, which is necessary if
preservation search reconstruction
the case comes to court and you are appointed as expert
“Pack your bags with “Minimize amount of data “Determine what you are “Use evidence to determine witness
equipment to perform that is changed/deleted” looking for, and where you what events occurred”
the investigation” expect to find it”

Investigation process: System Investigation process: Evidence

preservation search

! Preserve the crime scene to prevent it from changes that are Evidence Searching

introduced by: Phase 2:

Phase 1:
– Investigation process Target Definition Data Extraction and Interpretation
– Attacker, e.g., booby traps, deletion upon shutdown
! Preservation depends on situation: Target
Object
Data Data
Object
Object
– 1. Non-critical assets, or legal use
! Perform full disk duplication of suspect computer, i.e., copy entire
content of disk(s) to backup disk
Phase 3:
– 2. Semi-critical assets Phase 4:
Data Comparison
Knowledge Update
! Contain suspect computer, i.e., plug network cables into empty hubs,
copy critical log data, kill suspect processes, enable system monitoring
Target Target Data
– 3. Critical assets (no downtime allowed) Object Object Object
! Perform live incident response, i.e., keep computer running, copy what
you can, monitor
Overlaps with
Event Reconstruction

3
Evidence search Evidence search

! Phase 1: Target Definition ! Phase 3: Data Comparison

– Define target for locating evidence – Compare extracted data to the target
– Base target definition on either previous experience
– Matching data objects are considered as potential
– …or previously found evidence.
evidence

! Phase 2: Data Extraction and Interpretation

– Use the target to locate relevant data objects ! Phase 4: Knowledge Update
– Conduct searches in ordered pattern – Search the data objects for new targets
! Use interpretation or abstraction layers, i.e., look at each file, – Update general investigation knowledge
each sector or each network packet.
– Restart from Phase 1 with new target definitions

Investigation process: Event Investigation process: event

reconstruction reconstruction process

Event Reconstruction Phase

! Develop and test hypothesis about the events that
Overlaps with Search Phase an object was effect of and, when applicable, to
Evidence Examination Role Classification determine what events it could have been a cause
Phase Phase
of.
Event Construction and Event Sequencing
! Attempt to deduce the previous states by examining
Testing Phase Phase the events in which an object may have been
involved
Hypothesis Testing
Phase
! Question why an object has properties, where they
could have come from, and when they were created
Goal: To examine each piece of evidence and determine what events it was
involved in so that we can determine which events occurred at the crime scene

Digital evidence and the law

! Digital evidence may be used in a court of law

! Evidence may support a physical witness, or be
used stand-alone
Legal aspects and considerations ! The investigator may then be called as an expert
witness to explain the relevance of the evidence
! To be credible, the investigator need to show:
– That certain measures have been taken during investigation
– That no changes have been introduced to the crime scene
during investigation

4
Guidelines for collecting digital
evidence Collection procedure

! There is no established check list for how to collect ! Verify that no changes have been introduced to the
evidence for use in a court of law crime scene during investigation
! However, there are guidelines: – Physical: Don’t move furniture, reposition bodies or wash up
– Are the theories and techniques employed during evidence stains. Isolate environment. Don’t walk around in the area!
collection tested; – Digital: Don’t move files, run programs or remove data.
– Do the techniques for evidence collection have a known Isolate computer. Don’t “walk” around in the file system!
error rate;
– Physical: Take photos, samples, wear gloves to not
– Are the techniques subject to standards governing their introduce new objects. Document your actions!
application;
– Do the theories and techniques enjoy widespread – Digital: Take snapshots of computer state, duplicate data,
acceptance. use write blockers. Document your actions!

Expertise needed by investigator The investigator as expert witness

! The investigator as an expert witness in a

Legal Procedures
& court of law:
Laws of evidence
– Help judges and juries to understand e-evidence
Computer
technology – Raise doubt in or remove doubt from the minds of
the jury
Investigative – Have knowledge to reconstruct or explain what
techniques
happened without having observed it directly
– Is qualified by knowledge, skill, experience,
training, or education

Preservation, acquisition and analysis Live Incident Response

-Live Incident Response

-Forensic Duplications

-Forensic Analysis Techniques

5
Live incident response Live incident response

! Live incident response: ! Connect your prepared forensic workstation to the suspect
computer
– When suspect computer is still running
– Collect all relevant data to confirm whether an incident has
occurred
– Collect both volatile and non-volatile data
! Volatile data disappears when computer is powered off
– Example: Process memory content
! Non-volatile data can still be recovered after power off, but
might be easier to read if captured with proper system tools. Forensic workstation Suspect computer
– Example: Easier to read already formatted system logs than raw
binary data. ! Set up channel between the suspect and the workstation
! Run commands to produce data, transfer data over the channel
! Hash the data to protect its integrity

Live incident response Volatile data

! Volatile data: Disappears if power off ! System date and time

– Important to correlate time between suspect computers
– System date and time – May reveal system and file timestamp tampering
– Current network connections ! Current network connections
– Open TCP or UDP ports and related processes – The attacker may still be connected to the suspect computer
– Users currently logged on – The attacker may use the suspect to brute force passwords
on other computers
– Running processes ! Open TCP and UDP ports and related processes
– Open files – Useful for filtering out commonly used ports from suspicious
ports
– Process memory dumps
– Useful for finding suspicious processes by observing name
– System memory dumps or path for the processes involved in connections

Volatile data Volatile data

! Users currently logged on ! Process memory dumps
– Allows us to find out who is accessing the system exactly now – Allows us to find cleartext passwords, unencrypted data and the
– May reveal attackers that are currently logged in and whose command line used to execute the process
accounts they are using
! Running processes ! System memory dumps
– Allows us to find suspicious processes currently running – Allows us to find remnants of previous sessions and other intrusive
– May reveal the name of certain binaries not normally existing on processes
the system
! Open files
– Allows us to see what files, pipes and sockets each running
processes are using
– May reveal information regarding files that are accessed, and also
their names

6
Non-volatile data Non-volatile data

! Non-volatile data: Persistent after power off ! System version and patch level
– Version and patch level implies what attacks the system is
– System version and patch level vulnerable against, i.e., the starting point for the investigation
! System event logs
– System event logs
– Security logs, application logs and system logs
– User accounts – Allows us to find relevant entries regarding security issues, or
events that either applications or system finds notable
– Web-server logs
! User accounts
– Suspicious files – Listing the account list, allows us to see if any new accounts have
been created by the attacker

Non-volatile data

! Web-server logs
– Type of application logs, but should be treated more carefully
since webservers are highly exposed assets
– If attacks are automated, we can find this out from the timestamps
of individual log items
– We can also find if the webserver executed commands on the host
Forensic Duplications
! Suspicious files
– Allows us to find more information regarding the attack
– Usually done unless a forensic duplication is done

Forensic duplications Forensic duplications

! A forensic duplication means to make a ! Commercial solutions:

complete, byte-by-byte copy of the contents – Commercial Hardware system
of a storage device
! The goal is to transfer all data from the
suspect system to the forensic copy without The RoadMASSter 3 Forensics Data Acquisition and Analysis tool

altering the suspect system in any way

! Special devices that block writing operations
to the suspect system is used
– Related software, EnCase or Forensic Tool Kit

7
Forensic duplications Forensic duplications

! Non-commercial solutions ! Differences between commercial and non-

– UNIX programs will do for creating copies commercial duplications:
– Don’t underestimate the power of the write – Commercial software costs money, but provides
blocker, especially if legal requirements nice interfaces and (hopefully) support, and is
– Tools more credible in a court of law
! Data Dump (dd) program performs byte copy from – Commercial hardware costs money, but might be
source to destination necessary in a court to assure that no changes
! dcfldd program copies data and produces hash on every have been done to evidence disk
copied 512-byte block

Forensic analysis techniques

! Steps that are common for the majority of

investigations, i.e., “what you need to do”
– Recovering deleted files
Forensic Analysis Techniques – Production of time stamps and other metadata for
files
– Removing known files
– String searching and file fragments

Production of time stamps and

Recovering deleted files metadata

! Different approaches for different operating ! Files exist in two shapes, logical and deleted
systems and file systems – Metadata: full file names, sizes, MAC times MD5
– The investigator needs good knowledge of how – Used for file name searches, timeline analyses
the file system is organized and how the and reporting
operating system treats deleted data. – Common UNIX tools can do this for logical data.
– Usually, the type of file system is provided to the – Specialized tools can do it also for deleted data
tool. The tool then investigates the file system
accordingly

8
Removing known files String searching and file fragments

! Limit the number of files that need to be ! When searching for data, two situations may come
considered up:
! A data object, e.g., a file, is found
! Remove the files that are considered as
– Inspect the file directly with a suitable application
normal… – Look for keywords that can forward the search
– Compare the hash of every file in the file system ! A keyword or string, e.g., ‘b0mb’ is present
to the hashes of a known good set of hashes – Search the system for data objects containing the string
! Collections of hashes exist – Investigate the rest of the data object
! Remove matches

Application areas

! Email tracing
! Web browsing reconstruction
! Intrusion analysis
Application areas ! Cell phone and PDA forensics
! USB and Flash memory forensics
! Static and dynamic binary analysis

Conclusion
! Computer forensics is the application of technology and
science to establish facts in a court of law
! A digital investigation preserves the crime scene, searches for
evidence, and reconstructs events
! A digital investigator needs to know computers, the legal
system, and draw conclusions
! Different approaches to the investigation is required depending
on the situation, on one extreme, we have live response, on the
other we have forensic duplication
! Several techniques are available to reduce and to pinpoint the
important objects
! Forensics have many application areas, including PDA
forensics and intrusion analysis