View
217
Download
9
Category
Preview:
Citation preview
Digital Forensics
David Papargiris, EnCE,
DFCP,GCFA,CCE
Director Digital Forensics
Evidox Corporation
EDMOND LOCARD
French forensic pioneer
Locard’s Exchange Principle
"Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent
witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he
breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and
more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of
the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong,
it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can
diminish its value."
Locard’s Exchange Principle
* The Illustrated guide to Forensics - True Crime Scene Investigations By Dr. Zakaria Erzinclioglu
Increase in Cybercrimes
• First time Cybercrime surpassed
traditional crimes.
• Increase of computers in houses
• Increase in pay-off (Ex. Bank Robbery)
• Crimes being committed through
computers
How Times Have Changed
• It took 38 years for 50 Million users to use the
radio.
• It took 13 Years for 50 Million users to use a
television.
• It took 4 years to have 50 million users on the
internet.
• It took 9 months for 100 million users to register on Facebook.(1.11 billion March 2013)
(www.tactweet.com)
When was first Computer Monitor and Mouse Available
CYBER CRIME INVESTIGATIONS
Case Examples
CASE EXAMPLES
• DENNIS RADER
THE “BTK KILLER”
• Killed 10 in 30 years
• Sent floppy disk to police
• Contained metadata
source: www.wikipedia.com
9) Volume D\Unallocated Clusters\C384554-385932
Ventus International Agency Letter dated 12-13-00 to John Hancock
Dec. 18, 2000 Gd.Pl.
To: John Hancock Life Insurance Company, Boston, MA 02117
Ref: Edward Cxxxxx VS xxxxxxx in ATTLEBORO DISTRICT COURT,
Attleboro, MA 02703, Docket # 00xx SC xxxx,
(see attachment)
Gentlemen!
Based on our two-year observation, your Company TOP insurance
underwriters of LONGTERM CARE INSURANCE DEPARTMENT at Boston,
MA, indicates’ that there may evaluate Insurance Applications
under influence of DRUGS- MARIJUANA (Marihuana). With-in your
building there is also intensive DRUG TRAFFICING going for
years! We also noticed that do to heavy volume of applicants,
you allow your underwriters evaluate The Cases OUT SITE your
Home Office on their free time and weekends at their homes in
order to increase Department Productivity or Deadlines!
• Convicted for murders of
co-workers
• Internet searches related to faking mental illness
©2010 Office of Massachusetts Attorney General Martha Coakley
MICHAEL “MUCKO” MCDERMOTT
Serial Killer Caught By His
Own
Internet Footprint
By Peter Shinkle
St. Louis Post-Dispatch
6-17-2001
Travis decided it was a good idea to
point authorities to the decomposing
body of an undiscovered victim near
West Alton, Missouri, by sending
directions to the local paper St. Louis
Post-Dispatch, which was later found to
have come from Expedia.com. Maury Travis
Leon v. IDX Systems - A case relying heavily on computer forensic analysis in determining that the plaintiff despoiled evidence by deleting 2,200 files from his IDX-issued laptop computer during the pendency of litigation in which the plaintiff was suing his employer, the defendant, for placing him on unpaid leave, alleging violations of the anti-retaliation provision of the False Claims Act, Title VII, the Americans with Disabilities Act ("ADA"), and Washington state law.
Civil Case Examples
Berryman-Dages v. Gainesville - A case in which a non-party who was subpoenaed for examination of computers, laptops, hard drives, etc., to aid in showing that the plaintiff was demoted due to discrimination based on gender and sexual orientation
http://infosecusa.com/computer-forensics-civil-cases
Webb v. CBS - In this case the defendant, CBS, was compelled to hire a computer forensics expert to examine the plaintiffs' personal computer and review the results due to the plaintiffs' failure to comply with their discovery obligations under the Federal Rules of Civil Procedure, for providing misleading statements in depositions and false affidavits to the court about the existence of discoverable information, for their counsel's active concealment of confidential CBS documents, and for violation of the court's order closing discovery.
Civil Case Examples
Bimbo Bakeries v. Botticella - A case that relied on the use of computer forensics to determine if the appellant, a VP of Operations, copied company confidential files onto his personal computer before leaving his job to work for a competitor
http://infosecusa.com/computer-forensics-civil-cases
EXIF & GEO TAGGING
©2007 Office of
Massachusetts Attorney
General Martha Coakley
©2007 Office of
Massachusetts Attorney
General Martha Coakley
Defining Digital Forensics
Digital forensics is the controlled process of identifying, preserving, analyzing, and
presenting findings related to the existence or significance of data stored on digital storage
media, computers, and other devices for use in court.
DEFINING DIGITAL FORENSICS
• Science – Some procedures repeatable
– Imaging
• Art – No two examinations are the same
– Two examiners should get same data
DIGITAL FORENSICS ART OR SCIENCE?
• We can recover everything
• It’s quick and easy
• A ‘shoestring’ budget is sufficient
• Data will never change during an exam
DIGITAL FORENSICS MYTHS
Hard Drive Storage
How does a computer system load and store
data?
Allocated and unallocated space
Slack Space
Slack Space
Think of a vcr Tape.
• Create duplicate of the media
• Verify that the image is an exact duplicate
• Backup the image
• Place original into evidence
• Use forensic software to conduct analysis
DIGITAL FORENSICS BASIC PROCEDURES
FORENSIC PROCESS
• Documenting the evidence
• Is the system running (Memory)
• Checking the BIOS on computer Systems
• Conducting the bit by bit image of the media
• Why do we conduct bit by bit images
• Solid State Hard Drives
Write Blockers
• 2 Types of write blockers
• Hardware
• Software
Write Blockers
Solid State Hard Drives
Encase & Example of Solid State Drives
Deleted Folder
Preview of Drive 2 Minutes Later
Garbage Collection
Authenticating Evidence
Hash Values
• A hash value is a digital fingerprint of a block of data (file, string, contents of media, etc.)
• The chances of two different files having the same hash value are 1in 2^128
• One in approximately 340 billion billion, billion, billion
• In other words, if the hash values are the same, then there’s a 99.99999% chance that the files are the same
Better than DNA
AUTHENTICATING EVIDENCE
What Happens When You Rename a File
Or Rename The Extension
File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at 02/21/02
06:40:56PM.
The computer system clock read: 02/21/02 06:40:56PM.
Evidence acquired under DOS 7.10 using version 3.19.
File Integrity:
Completely Verified, 0 Errors.
Acquisition Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC
Verification Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC
Drive Geometry:
Total Size 12.7GB (26,712,000 sectors)
Cylinders: 28,266
Heads: 15
Sectors: 63
Partitions:
Code Type Start Sector Total Sectors Size
0C FAT32X 0 26700030 12.7GB
Digital Forensic Stages
IDENTIFY
PRESENT
PRESERVE
RECOVER
Example
In Explorer Window
Deleted View
Digital Forensic Equipment
Imaging Device
Forensic
Workstation &
Storage
System
Mobile Devices
GPS’s
QUESTIONS
David Papargiris Director Digital Forensics
Evidox Corporation David@Evidox.com
617-654-9060
Recommended