Download pptx - Computer forensics published version cwru 02242011

© 2009 Property of JurInnov Ltd. All Rights Reserved

Case Western Reserve University Computer Fraud

February 24, 2011

Timothy M. Opsitnick, Esq.Senior Partner and General CounselJurInnov Ltd.John Liptak, ACEComputer Forensics Analyst



Who Are We?

JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Electronic Discovery– Computer Forensics– Document and Case Management– Computer & Information Security

2


Presentation Overview

• Understanding Computing Environments

• Collecting Electronically Stored Information

• Forensic Analysis Demonstration• Types of Cases When Forensics Are

Useful

3


What is Computer Forensics?

Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.

4


Types of “ESI”

• E-mail• Office Files• Database• Ephemeral• Legacy Systems• Metadata

5


Sources of “ESI”• Desktops• Laptops• CDs/DVDs• Network Attached

Storage Devices (NAS)

• Storage Area Networks (SAN)

• Servers• Databases• Backup Tapes

• E-Mail• Archives• Cell Phones/PDAs• Thumb Drives• Memory Cards• External Storage

Devices• Cameras• Printers• GPS Devices

6


Why Computer Forensics?

• Reasons to use Computer Forensics– Internal Company Investigations

• Alleged criminal activity• Civil or Regulatory Preservation

– Receivership, Bankruptcy– EEO issues– Improper use of company assets

– Recovery of Accidentally or Intentionally Deleted Data• Deleted is not necessarily deleted• Recovery from Improper shutdowns

7


Types of Computer Fraud

• Fraud by computer manipulation– Program or data manipulation

• Common internal computer fraud schemes– Billing schemes– Inventory fraud– Payroll fraud– Skimming– Check tampering– Register schemes

8


Types of Computer Fraud

• Fraud by damage to or modification of computer data or programs– Economic advantage over a competitor– Theft of data or programs– Holding data for ransom– Sabotage

• Common external computer fraud schemes– Telecommunications fraud– Hacking– Internet fraud– Software piracy

9


How Does a Computer Operate?

• Hardware– Processor– Memory (RAM)– Hard Drive– CD/DVD Drive– Motherboard– Mouse/Keyboard

• Software– Operating System– Applications

10


How Does a Computer Operate?

• How is data stored on a hard drive?

• How is data “deleted” by the operating system?

11

© 2010 Property of JurInnov Ltd. All Rights Reserved12




Collecting “ESI”

• “Let’s let the IT staff do it.”

• Forensic Harvesting – What is a forensic copy?

15



• Forensic Harvesting - Logical v Physical– Logical / “Ghost” copy (Active Files)

• Data that is visible via the O.S.– Physical

• Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)

16




• Network Harvest• E-Mail Harvest• Cell Phone / Device Seizure

18


Computer Forensics Process

• Interview Process/Needs Analysis• Maintaining Chain of Custody• Photograph Evidence• Record Evidence Information (users, S/Ns,

etc.)• BIOS/CMOS Time• Utilize Sanitized (“Wiped”) Drives• Write Blocker• On-Site Acquisition• Forensic Lab Acquisition

19


Acquisition (Data Harvest)• Software Tools

– EnCase (Guidance Software)– Forensic Tool Kit (AccessData)– Device Seizure (Paraben)– Network Email Examiner (Paraben)

• Hardware Tools– Write Blockers (Tableau)– Talon (Logicube)– Cell-Dek (Logicube)

20


Types of Data Acquisitions• Image Types

– EnCase Image (.E01)– DD Image (Linux)– Custom Content Image (.AD1)

• ESI Locations– Hard Drives– Network Shares/Department Shares/Public

Shares– Server E-Mail– Server Acquisition (On/Off)– Cell Phone/PDA– Thumb Drive/External Media

21


Forensic Considerations• Transfer Speeds

– USB– FireWire– IDE– SATA/eSATA

• Image Verification - MD5 Hash Values• Work Copies• Inventory Management

22


Forensic Considerations• Presentation Suspect Images• Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512• Starting Extent: 1S0• Name: Presentation Suspect Images• Actual Date: 03/24/09 03:17:21PM• Target Date: 03/24/09 03:17:21PM• File Path: E:\Presentation image.E01• Case Number: Presentation Drive• Evidence Number: Presentation Suspect Images• Examiner Name: Stephen W. St.Pierre• Drive Type: Fixed• File Integrity: Completely Verified, 0 Errors

• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1• GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j• System Version: Windows 2003 Server• Total Size: 20,020,396,032 bytes (18.6GB)• Total Sectors: 39,102,336

23


Forensic Considerations• Creating Work copy of original Backup

Image– Evidence Mover Log:

03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01 Destination file: G:\Evidence\Presentation image.E01.

Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678


Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842


Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917

24


Forensic Considerations

• Windows Encryption– Encrypted File System (XP)– BitLocker (Vista & Windows 7)

• Other Hardware or Software Encryption– Laptop hard drives– e.g., Truecrypt

25


Forensic Analysis

• Indexing• Key Word Searching• Filters

– AND/OR/NOT– Date Range– Specific File Types

26


Forensic Analysis

• Deletion– Deleted Documents– Recycle Bin (Deleted Dates/Info 2)– Data Carving– Unallocated Space– Hard Drive Wiping

• Signature Analysis: File Extension vs. File Signature

27


Forensic Analysis

• File Hash Analysis: Comparing Files• Image Review/Analysis• Internet History Analysis

• Analysis Examples …

28


Registry Overview

• Windows Registry – central database of the configuration data for the OS and applications.

• Gold Mine of forensic evidence• Registry Hive Keys

– Software– System– SAM (Security Account Manager)– NTUSER.dat

29


Registry – Software

• What Operating System Installed?• Date/Time OS Installed• Product ID For Installed OS• Programs That Run Automatically at

Startup (Place to Hide Virus)• Profiles

30


Registry – System

• Mounted Devices• Computer Name• USB Plugged-In Devices (USBSTOR)• Last System SHUT DOWN Time• Time Zone

31


Registry – SAM & NTUSER.DAT• SAM

– Local Accounts• NTUSER.DAT

– Network Assigned Drive Letters– Typed URLs (websites)– Last Clean Shutdown Date/Time– Username and Passwords – Recent Documents

• Registry examples …

32


Unallocated Space Analysis

• Unallocated Space/Drive Free Space

• File Slack

33


Data Transfer Analysis

• FTP• E-Mail• External Drives• Link Files (external/server)• Internet History• Webmail• Created/Accessed/Modified Dates

34


Evidence/Analysis Reporting

• FTK Report (html based report)• Evidence Presentation• Final Expert Report• Interpretation of Report• Expert Testimony

35


Forensic Analyst

• Tips For Dealing With Your Forensics Analyst

• What to Expect From A Forensics Analyst– Certifications– Training – Experience– Testimony

36


Types of Cases When Forensics Are Useful…

• Financial– Receivership– Bankruptcy

• General Litigation– Commercial Litigation– Product Liability

• Corporate– Regulatory (SEC, Second Requests, FTC)– Mergers/Acquisitions

37


Types of Cases When Forensics Are Useful, cont.

• Intellectual Property– Theft of Intellectual Property– Temporary Restraining Order (TRO)– Permanent Injunction

38



• Labor/Employment– Violation of Non-Compete Agreements– Sexual Harassment – Age Discrimination– Fraud/Embezzlement– Other Violations of Company Policy

39



• Domestic Relations– Divorce– Custody

• Corporate Criminal– Other Criminal

40


For assistance or additional information

• Phone: 216-664-1100• Web: www.jurinnov.com• Email: [email protected]

[email protected]

JurInnov Ltd.The Idea Center

1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115

41