Embed Size (px)
DESCRIPTION
An Introduction to Computer Forensics. Randy Ribler Department of Computer Science Lynchburg College. Computer Forensics Definition. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. - PowerPoint PPT Presentation
Citation preview
An Introduction to An Introduction to Computer ForensicsComputer Forensics
Randy RiblerRandy Ribler
Department of Computer Department of Computer ScienceScience
Lynchburg CollegeLynchburg College
Computer Forensics Computer Forensics DefinitionDefinition
Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.
- Judd Robins, “An Explanation of Computer - Judd Robins, “An Explanation of Computer Forensics”Forensics”
Application of Computer Application of Computer ForensicsForensics
Securing evidence in criminal and civil Securing evidence in criminal and civil litigationlitigation TerrorismTerrorism Child PornographyChild Pornography Industrial EspionageIndustrial Espionage
Documenting/Investigating a breach of Documenting/Investigating a breach of network securitynetwork security
Recovering inadvertently deleted dataRecovering inadvertently deleted data
High-profile Computer High-profile Computer Forensics CasesForensics Cases
Dismissal of U.S. attorneys controversy Dismissal of U.S. attorneys controversy Lost emailsLost emails
Some official e-mails have potentially been lost and Some official e-mails have potentially been lost and that is a mistake the White House is aggressively that is a mistake the White House is aggressively working to correct." - Scott Stanzel, Whitehouse working to correct." - Scott Stanzel, Whitehouse spokesmanspokesman
Forged EmailForged Email Larry Ellison loses sexual harassment case Larry Ellison loses sexual harassment case
against former employeeagainst former employee Employee later shown to have been the forger Employee later shown to have been the forger
of incriminating email that appeared to be of incriminating email that appeared to be confirming Ellison’s role in her firing. (She was confirming Ellison’s role in her firing. (She was later convicted of perjury.)later convicted of perjury.)
Principal Targets of Computer Principal Targets of Computer ForensicsForensics
Hard Disk DrivesHard Disk Drives USB Drives, floppy disksUSB Drives, floppy disks SD memory, Compact Flash, and SD memory, Compact Flash, and
other static memoryother static memory RAM (Random Access Memory)RAM (Random Access Memory)
Basic Computer Basic Computer ArchitectureArchitecture
Central Processing Unit (CPU)Central Processing Unit (CPU) Main Memory Main Memory
(RAM) (volatile memory)(RAM) (volatile memory) Turn-off the computer and it forgetsTurn-off the computer and it forgets
Disk Drive Disk Drive non-volatile (persistent) memory non-volatile (persistent) memory
Maintains data across shutdownsMaintains data across shutdowns Data FilesData Files Temporary FilesTemporary Files Registry EntriesRegistry Entries Unallocated SpaceUnallocated Space Swap SpaceSwap Space Log FilesLog Files Email Email
Disk GeometryDisk Geometry
Disk Sectors and ClustersDisk Sectors and Clusters
SectorsSectors are physical areas of are physical areas of the disk that typically represent the disk that typically represent the smallest addressable units the smallest addressable units of storage. When a disk drive of storage. When a disk drive reads or writes data, it typically reads or writes data, it typically does so in complete sectorsdoes so in complete sectors..
ClustersClusters are logical entities are logical entities consisting of one or more consisting of one or more sectors. Clusters are the sectors. Clusters are the smallest addressable unit of smallest addressable unit of storage used by a file systemstorage used by a file system..
How Clusters are Allocated to How Clusters are Allocated to FilesFiles
Initially, the disk drive consists of a Initially, the disk drive consists of a large number of unallocated clusterslarge number of unallocated clusters
When a file is stored, the number of When a file is stored, the number of clusters needed to store the data are clusters needed to store the data are allocated to that file.allocated to that file.
A File Allocation Table keeps track of A File Allocation Table keeps track of which clusters are allocated to which which clusters are allocated to which filesfiles
Files Stored on a DiskFiles Stored on a DiskThe diagram shows the data for two files stored on the disk. One file has been allocated contiguous clusters (shown in green). The other file has been allocated noncontiguous clusters (shown in blue)
The file allocation table keeps track ofThe clusters allocated to each table. When the file is deleted, the file allocation table is modified to show that the clusters are now available for reuse, but no modification is made to the data in the clusters.
Foolproof methods for Foolproof methods for rendering previously stored rendering previously stored
data unreadabledata unreadable Using a sledge hammer to reduce Using a sledge hammer to reduce
the disk platters to dustthe disk platters to dust Overwrite every sector on the diskOverwrite every sector on the disk
Store at least one irreplaceable file Store at least one irreplaceable file on it, for which you have no backup on it, for which you have no backup (Unproven, but with strong anecdotal (Unproven, but with strong anecdotal evidence)evidence)
Deleting Disk DataDeleting Disk Data ““Wiping” a file consists of deleting the file Wiping” a file consists of deleting the file
and overwriting the contents of the and overwriting the contents of the associated clustersassociated clusters Random dataRandom data All ones and/or all zerosAll ones and/or all zeros Multiple overwrites Multiple overwrites
Single overwrite seems to be adequate for Single overwrite seems to be adequate for modern disk drivesmodern disk drives
http://www.springerlink.com/content/408263ql11460147/ http://www.springerlink.com/content/408263ql11460147/ Remnants of the file may still exist in other Remnants of the file may still exist in other
parts of the system (e.g., swapfile, parts of the system (e.g., swapfile, temporary files, registry entries, etc). If so, temporary files, registry entries, etc). If so, data from wiped files can still be recovered.data from wiped files can still be recovered.
Protection of evidence is Protection of evidence is critical critical
Ensure that: Ensure that: no possible evidence is damaged, destroyed, or otherwise no possible evidence is damaged, destroyed, or otherwise
compromised by the procedures used to investigate the compromised by the procedures used to investigate the computer. computer.
no possible computer virus is introduced to a subject computer no possible computer virus is introduced to a subject computer during the analysis process. during the analysis process.
extracted and possibly relevant evidence is properly handled extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic and protected from later mechanical or electromagnetic damage. damage.
a continuing chain of custody is established and maintained. a continuing chain of custody is established and maintained. business operations are affected for a limited amount of time, if business operations are affected for a limited amount of time, if
at all. at all. any client-attorney information that is inadvertently acquired any client-attorney information that is inadvertently acquired
during a forensic exploration is ethically and legally respected during a forensic exploration is ethically and legally respected and not divulged.and not divulged.
* Bullet points from Judd Robbins : * Bullet points from Judd Robbins : http://www.computerforensics.net/forensics.htmhttp://www.computerforensics.net/forensics.htm
Forensic Procedure for Securing Disk Data for Forensic Procedure for Securing Disk Data for AnalysisAnalysis
Extreme care must be taken to ensure Extreme care must be taken to ensure that the data does not become modified as that the data does not become modified as a side-effect of forensic analysisa side-effect of forensic analysis
Turn the computer off if it is onTurn the computer off if it is on Remove the disk from the computerRemove the disk from the computer Write-protect the driveWrite-protect the drive Use forensic software to create an “image file”Use forensic software to create an “image file”
Image files contain a byte for byte copy of the sectors Image files contain a byte for byte copy of the sectors contained on the diskcontained on the disk
Secure the original diskSecure the original disk All further analysis must be performed on the All further analysis must be performed on the
image file. image file.
Computer Forensic SoftwareComputer Forensic Software
Many software tools exist to recover Many software tools exist to recover deleted files and find keywords and deleted files and find keywords and other data of interestother data of interest
EnCase is one of the more popular EnCase is one of the more popular and powerful tools availableand powerful tools available
http://www.youtube.com/watch?http://www.youtube.com/watch?v=O4ce74q2zqM v=O4ce74q2zqM
E-mail – The most frequently E-mail – The most frequently smoking gunsmoking gun
““You can't erase e-mails, not today…You can't erase e-mails, not today…They've gone through too many They've gone through too many servers. Those e-mails are there –” servers. Those e-mails are there –” Senator Patrick LeahySenator Patrick Leahy
Finding lost EmailsFinding lost Emails Emails can be recovered from a number of Emails can be recovered from a number of
different locationsdifferent locations Local user filesLocal user files
POP3 email client protocols copy all email data to the POP3 email client protocols copy all email data to the local disk local disk
Under many email clients (including Outlook) deleted Under many email clients (including Outlook) deleted emails exist in the local archive even after they are emails exist in the local archive even after they are purged from the deleted mail folder.purged from the deleted mail folder.
IMAP email client protocols leave the email on the IMAP email client protocols leave the email on the server, but local copies are likely to exist in server, but local copies are likely to exist in temporary or swap filestemporary or swap files
ServersServers Mail servers will maintain email recordsMail servers will maintain email records
BackupsBackups Backups of both client and server machines can Backups of both client and server machines can
provide copies of deleted emailsprovide copies of deleted emails
Encryption/DecryptionEncryption/Decryption Data is encrypted before it is stored Data is encrypted before it is stored
on the diskon the disk Without the key, the data cannot be Without the key, the data cannot be
understoodunderstood Deleted file are unreadableDeleted file are unreadable
Data in memory is not encryptedData in memory is not encrypted Such data might still be referenced in Such data might still be referenced in
swap files, system logs, and registry swap files, system logs, and registry entriesentries
String Search TechniquesString Search Techniques
String search algorithmsString search algorithms Search for “regular expression”Search for “regular expression”
CS[1-3][0-9][0-9][ ]*[rR][iI][bB][lL][eE][rR]CS[1-3][0-9][0-9][ ]*[rR][iI][bB][lL][eE][rR] Index the entire diskIndex the entire disk
Make a list of all the places on the disk each Make a list of all the places on the disk each keyword appearskeyword appears
Indexes can be very largeIndexes can be very large Very fast response to keyword queriesVery fast response to keyword queries Indexes are generally created in a “batch” mode, and Indexes are generally created in a “batch” mode, and
interactive investigation proceeds after the index interactive investigation proceeds after the index generation is completegeneration is complete
Princeton Encryption HackPrinceton Encryption Hack
http://www.youtube.com/watch?http://www.youtube.com/watch?v=JDaicPIgn9U v=JDaicPIgn9U
Implications of the Princeton Implications of the Princeton Encryption HackEncryption Hack
Perhaps computer forensic Perhaps computer forensic investigation will no include investigation will no include investigation of RAM images. The investigation of RAM images. The same techniques used for disks can same techniques used for disks can be applied.lbe applied.l
Many encryptionMany encryption
SteganographySteganography
steganography steganography http://en.wikipedia.org/wiki/Steganoghttp://en.wikipedia.org/wiki/Steganographyraphy
Credibility of Digital DataCredibility of Digital Data
Unlike other forensic evidence, digital data Unlike other forensic evidence, digital data on a computer can be modified without on a computer can be modified without physical access to the computer.physical access to the computer.
How do we know that incriminating How do we know that incriminating evidence has not been planted?evidence has not been planted?
Recent case of files in Windows Options Recent case of files in Windows Options directory directory http://news.bbc.co.uk/1/hi/scotland/taysidehttp://news.bbc.co.uk/1/hi/scotland/tayside_and_central/6968663.stm_and_central/6968663.stm
Problems with Digital DataProblems with Digital Data
Meta data, such as file Meta data, such as file access/creation times, file ownership access/creation times, file ownership ccan be changed easilyccan be changed easily
Emails and any other data can be Emails and any other data can be fabricatedfabricated
Given a blank disk, we can create Given a blank disk, we can create any image we likeany image we like
![Introduction To Computer Forensics - DTIC · © 2010 Carnegie Mellon University Introduction To Computer Forensics [DISTRIBUTION STATEMENT A] This material has been approved for public](https://img.pdfslide.us/doc/110x75/5fc91ec464707f15845d806d/introduction-to-computer-forensics-dtic-2010-carnegie-mellon-university-introduction.jpg)
