Embed Size (px)
Citation preview
Introduction to Computer Forensics and Hashing
1
22
What is Forensics?
Forensics is the art and study of argumentation and formal debate. It uses the application of a broad spectrum of sciences to answer questions of interest to the legal system.
Forensic Science is the science and technology that is used to investigate and establish facts in criminal or civil courts of law.
3
Criminal Justice Fundamentals
How a case usually plays out:Law Enforcement notified of crimeEvidence is gathered – may require search
warrantsSuspects are developed Interviews or interrogations are conductedSuspect is chargedCase w/evidence is turned over to prosecutor
4
What is Computer Forensics?
Computer forensics is forensics applied to information stored or transported on computers
It “involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis”
Procedures are followed, but flexibility is expected and encouraged, because the unusual will be encountered.
5
What is Computer Crime?
Three situations where you might find evidence on a digital device: Device used to conduct the crime
Child Pornography/Exploitation Threatening letters Fraud Embezzlement Theft of intellectual property
Device is the target of the crime Incident Response Security Breach
Device is used to support the crime
6
What is evidence in terms of Computer Forensics?
Can be anything! As small as a few bytes Could be, and hopefully will be complete files
Could be Deleted Could be Encrypted
Likely will be fragments of files A few Words A couple of sentences Hopefully some paragraphs
Registry entries, or log entries!
7
Where do we find it?
Storage Media
RAM Log Files Registry
How might the information be stored?
Might be plain data with no hidden agenda
The data could be encrypted Data could be hidden Could be hostile code
8
Data Encryption
Encrypting data could guard the data in two ways. Protect data
Use of Ciphers Files might need to be decrypted Decryption program generally stored fairly close to the
file to be decrypted. Probably password protected.
Prove integrity
9
10
Data Hiding
Data could be obfuscatedencryption is some method of modifying data so that it is meaningless and unreadable
in it’s encrypted form. It also must be reasonably secure, that is it must not be easily decrypted without the proper key. Anything less than that is obfuscation. This is data that is rendered unusable by some means, but is not considered as a serious form of encryption.
Data could be compressed Data could be hidden in plain sight –
innocent looking data has alternate meaning Data could be hidden within File system
11
Data Hiding (contd.)
Data could be hidden in a file Steganography - science of writing hidden messages in such a way
that no-one apart from the sender and intended recipient even realizes there is a hidden message
Invisible names Misleading names Obscurity No names
Hidden data might not be in file Slack, swap, free space
Removable Media
12
Hostile Code
Presume that any unknown code is hostile. Guilty until proven innocent.
Any code used by an unauthorized person to gain advantage or power over someone else should be considered hostile.
– Remote access– Data gathering– Sabotage– Denial-of-service– Eluding detection
– Resource theft– Circumvention of
access control mechanisms
– Social status
13
How do we go about the business of Computer Forensics?
Three A’s of Computer Forensics Acquire the evidence without altering or
damaging the original. Authenticate that your recovered
evidence is the same as the originally seized data.
Analyze the data without modifying it.
14
Acquire the evidence
How do we seize the computer? How do we handle computer evidence?
What is chain of custody?Evidence collectionEvidence IdentificationTransportationStorage
Documenting the Investigation
15
Authenticate the Evidence
Prove that the evidence is indeed what the criminal left behind.Contrary to what the defense attorney might
want the jury to believe, readable text or pictures don’t magically appear at random.
Calculate a hash value for the data MD5 SHA-1,SHA-256,SHA -512
16
Analysis
Always work from an image of the evidence and never from the original.Prevent damage to the evidenceMake two backups of the evidence in most
cases. Analyze everything, you may need clues
from something seemingly unrelated.
17
Tools
Password crackers Hard Drive Tools
Fdisk on Linux Viewers
QVP Diskview
Thumbsplus Unerase tools
CD-R Utilities Text search tools Drive Imaging
Safeback Linux dd
Disk Wiping Forensic Toolkits Forensic Computers
18
Forensic Software
Forensic Toolkit The Coroner’s Toolkit Sleuth Kit Encase ILook
19
Digital Crime Scene Investigation Process
No one right way to do it!
Evidence Searching Phase
System Preservation Phase
Event Reconstruction Phase
Carrier, B., Page. 5, Figure 1.1
20
System Preservation Stage
Crime Scene PreservationDepending on the situation, this will vary.Take pictures of everything.
Room setup Connections Open windows on computers
Label all wires and connections.Bag and Tag all evidence.
21
System Preservation (cont.)
Evidence PreservationSeize all hardware that is necessary to
reconstruct evidenceJam or disable all wireless connections if
possibleMake 2 (3) copies of all mediaAuthenticate all copies of media with MD-5
and SHA-1 hash algorithms
Evidence Preservation
The data has to be protected physically and logically. Physically, make sure when transporting hard drives that it is stabilized and is not damaged by excessive vibrations. Another thing to look out for is static electricity.
Logically preserving evidence means that that the information contained on the drive down to the last bit never changes during seizing, analysis and storage.
22
Evidence Preservation – Write Blockers
Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands. These can be in the form or hardware or software blockers. It is very important that some type of write blocker is tested and used when working with data.
23
Evidence Preservation – Write Blockers (contd.)
On our systems, we would use software write blockers to preserve the integrity of the data. We have included a tool that would do that (disable_usb_write.reg). BEFORE attaching the usb drive, the write-blocker needs to be invoked. Now, the usb drive can be attached, and this would ensure that nothing would be written on the usb drive.
In a real scenario, a hardware write blocker would provide much stronger protection.
24
Evidence Preservation – Making Copies
With the write blocker in place, you can now make several copies of the image. It is important that an image is made of the hard drive and not a copy or a backup. The reason for this is that an image will make sure to preserve important information such as slack space, time stamps, unallocated space and file system structures, which would not necessarily be there in a copy or a backup.
25
Evidence Preservation – Making Copies (contd.)
It is a good idea to make at least 2 working images – one to be used as a backup and one to work on. In our tools folder, there is a Image command that actually uses the dd command to create an image of a hard drive.
Most texts also suggest making a third image for discovery.
26
Evidence Preservation – Authenticating and Hash Functions
It is now necessary to prove that all of these images are exactly the same, down to the very last bit!
A hash function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.
27
Evidence Preservation – Hashing (contd.)
In authentication, hashing is used to create a set of numbers that represent a drive or set of files. This is similar to fingerprinting someone. With hashing, a finger print is created from the evidence. No details about the evidence can be determined from the hash value, but if the evidence is altered in any way, the hash value will also change.
28
Evidence Preservation – Hashing (contd.)
Two examples of hash functions are MD5 and SHA-1. MD5 was developed by Professor Ronald L. Rivest of MIT. The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit fingerprint of the input.
29
Evidence Preservation – Hashing (contd.)
SHA stands for Secure Hash Algorithm. The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA). The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-1 produces a message digest that is 160 bits long; the number in the other four algorithms' names denote the bit length of the digest they produce.
30
Evidence Preservation – Hashing (contd.)
Hashing tools can be found in the tools directory. The md5sum tool produces an md5 message digest (hash value). The hashcalc application can also create hash values using different hashing methods.
The hashing is done on the data itself, and not on the names of files. There are existing databases of hash values for images, that can be used to find child pornography.
31
32
Evidence Searching Stage
Once everything is preserved, analysis must begin.
Forensics is a science, so there should be a hypothesis from which to work.
Direct searching activities to support this hypothesis.
33
Evidence Searching (cont.)
If you are looking for a specific file, i.e., child porn, compare hash values.
If you are looking for keywords, most software gives you a search capability.
Be specific to what you are looking for: If you are looking for web activity, look in
web files; history, cache, cookies, etc.
34
Event Reconstruction Stage
Last phase of investigation. Trying to answer the question of what
happened and how. Evidence discovered during searching
phase is reconciled with non-digital evidence to create a sequence of events to support the hypothesis.
35
General Guidelines
Use a write-blocking device to prevent accidentally writing to the suspect media.
Always work from a copy, not from the original. Authenticate the copy so that you can prove that
evidence discovered was on the original media. Minimize file creation on working media to
prevent over-writing of free space. Be especially careful of opening files, especially
without a write-blocker, because CMA times will change.
