View
220
Download
3
Category
Tags:
Preview:
Citation preview
1www.vita.virginia.gov
Computer Forensics
Michael WatsonDirector of Security Incident Management
NSAA Conference10/2/09
www.vita.virginia.gov 1
2www.vita.virginia.gov
Overview• Purpose behind computer forensics• Challenges faced within the field• Basic information about how to conduct an
investigation and the tools used• Quick tips for performing Windows forensic
investigations
3www.vita.virginia.gov
Purpose• Collection of evidence in a manner that
can be relied upon– Law enforcement will likely duplicate it but
they will use it if they have to
• To remove doubt that the evidence has been tampered with or altered in any way
• Find evidence that a system and ultimately the system’s user were involved in the action under investigation
4www.vita.virginia.gov
Computer Forensics• Principles for dealing with digital evidence
– Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.
– Persons conducting an examination of digital evidence should be trained for that purpose.
– Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.
Source: “Forensic Examination of Digital Evidence: A Guide for Law Enforcement”
5www.vita.virginia.gov
Evidence Challenges• Physically collecting the evidence
– How do you prevent being accused of tampering?
• Taking actions that do not modify any evidence– Specialized tools for collecting digital evidence
• Making sure a device’s state does not change while in possession– Cell phones and remote signals
• Preserving evidence– Systems can’t be shut off without losing volatile data
6www.vita.virginia.gov
Legal Challenges• Different laws throughout different states• Wiretap laws• Federal vs. state • Important laws to note
– Fourth Amendment – unreasonable search and seizure– Fifth Amendment – protection against self incrimination– Wiretap Act (18 U.S.C. 2510-22)– Pen Registers and Trap and Trace Devices Statute (18
U.S.C. 3121-27)– Stored Wired and Electronic Communication Act (18
U.S.C. 2701-120)
7www.vita.virginia.gov
Organization Challenges• No expectation of privacy
– Requires detailed policies– Periodic renewal of consent to policies
• Personal equipment use• Teleworking• Data management
8www.vita.virginia.gov
Performing a Forensic Investigation• Persistent Data – Data that is preserved
when the system does not have power– Typically data stored on a “drive”
• Hard Drive• USB Drive• Floppy Drive
• Volatile Data – Transient data that is lost when power is no longer available– Volatile data may exist in memory after the
computer powers down in certain situations
9www.vita.virginia.gov
Forensic Tools• Data collection tools
– EnCase– Forensic Toolkit (FTK)– Write blockers– Disk imagers
• Network analysis tools– Wireshark, tcpdump
• Distributions– Knoppix, Helix
10www.vita.virginia.gov
Collecting Evidence• Take pictures• Have a witness
– Preferably a non-technical witness
• Establish chain of custody• Secure evidence storage• Log evidence access• Create a forensic image of the system
– Create a working copy of the image
11www.vita.virginia.gov
Analyzing a Windows System• Thumbnails• Windows Registry
– Application and system information storage
• AppData– Persistent application data stored here
• Indexing• Wireless Interface Connections
– C:\Users\All Users\Microsoft\Wlansvc\Profiles\Interfaces
12www.vita.virginia.gov
Interesting Registry Locations• RunMRU
– The commands entered into the run dialog box. The MRUList shows the order of execution
• OpenMRU/LastVisitedMRU – post WinXP only– Opens and saves from the OS dialog box
• HKLM\SYSTEM\<ControlSetID>\Enum– Subkey 1394 for firewire devices– Subkey USB for Universal Serial Bus devices
13www.vita.virginia.gov
Devices Connected to the System• How do I find when a device was FIRST connected
to a computer?– Examine setupapi.log
• %windir%\setupapi.log in XP and 2003 Server• %windir%\inf\setupapi.dev.login in Vista
• List of USB Vendor IDs and associated ProductIDs– http://www.linux-usb.org/usb.ids
• This list may be somewhat out of date
• Devices typically have their own serial number– Windows Generated Serial Number
• Windows generated serial numbers have amperstands as the 2nd, 10th, and 12th characters in a serial number
– X&XXXXXXX&X&P
14www.vita.virginia.gov
Internet Explorer Data• Data Recorded by Internet Explorer
– IE 6 – complete history retained even with clear history
– IE 7 – most history removed with delete all option
– IE 8 – InPrivate browsing can prevent data from being recorded
• Temporary Internet Files• Index.dat
– Contains all sites visited
15www.vita.virginia.gov
Windows Gotchas• Defragment
– Will overwrite slack disk areas– Touches every file– Scheduled for 3AM every Wednesday by default
• Last access time – Vista only– Turned off by default
• Self healing file systems– Will replace windows files that look to be damaged or
that don’t have the correct metadata
• Bitlocker– Whole disk encryption can impeded forensic imaging
16www.vita.virginia.gov
Review• Purpose behind computer forensics• Challenges faced within the field• Basic information about how to conduct an
investigation and the tools used• Quick tips for performing Windows forensic
investigations
17www.vita.virginia.gov
Questions
For more information please contact me at:Michael.Watson@VITA.Virginia.GOV
Thank You!
Recommended