A closer lookat the digital evidence

Marcin Kaczmarek, CISA Zespół Bezpieczeństwa Informacji, WCSS

About me

• Marcin Kaczmarek, M.Sc, CISA• About 18 years in IT (from administration roots...)

• About 11 years in IT Security (started since CIH, dialers and early SPAM)

• IT security auditor, analyst, consultant, forensic specialist

• Expert wittness at Regional Court Wroclaw

• OWASP, ISACA, SIIS member

• More? Check social sites :))

https://zbi.wcss.pl

https://csirt.wcss.pl Marcin Kaczmarek, CISA

Agenda

• What is the digital evidence?

• Sources of the digital evidence

• How to collect digital evidence

• Validity of the proof

• How to protect digital evidence

• Tools, ways, hints and more

• Problems with digital evidence

• Some demos and case studies

• Not only FAQMarcin Kaczmarek, CISA

Digital evidence

What is the digital evidence?

It is just information.It can contains any type of data, from any source.

Digital evidence can be:- image files, photos, graphics

- audio files, movie files- documents, presentations, spreadsheets

…- log files, configuration files, listings, sql tables

- disk image files, dump filesetc.

Marcin Kaczmarek, CISA

Digital evidence

What is the digital evidence?

Let's look at typical file parameters:

-rw-r-xr-x 1 user group 1020314 Apr 12 2015 dump.txt

14415 -rw-r-xr-x 1 user group 102031 2015-04-12 04:43:19.802434332 dump.txt

(inodes, time extended: full-iso)

So – the file parameters is also important here.The evidence should be as detailed as possible.

Use -v (verbose) or -d (debug) parameters in commands

Marcin Kaczmarek, CISA

Digital evidence

What is the digital evidence?

Digital evidence is a kind of proof.Can be extracted from any source.

Original (source) data cannot be changed!

Additional information can be extracted from collected datausing different techniques and conversions.

(such as EXIF, metadata, deleted/erased data)It is also the evidence.

Marcin Kaczmarek, CISA

Digital evidence

What is the digital evidence?

files containing text, image files, photo files, audio files…Directory structures, file allocation tables, disk parameters,

Network parameters and configuration, FW rules, IPS/IDS rules,Antivirus logs, system activity, system description,

Log files, event manager files, database files (sql, nosql)dumps...

Any data files containing information related to the specific case(s)(including temperature changes in the server room...)

Marcin Kaczmarek, CISA

Digital evidence

Sources of the digital evidence

Yes, computers!But mostly – disks, pendrives, cards – even memory chips.

(NFC and RFID also)

Mobile phones, communication devices, cameras, recorders, monitoring devices,

UTMs, firewalls, routers,Sensors, detectors, digital locks,

any device capable of collecting information and providing itas a (computer) data.

Marcin Kaczmarek, CISA

Digital evidence

Sources of the digital evidence

The evidence should be collected from as many sources as needed.We should decide which source is essential and valid.

Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

Direct way: copy original data from source.

The copy should be bit-copy, 1:1.The copy should be signed using (some) hash

(to ensure integrity and validity)The process of copying should be documented (how, when, where)

Data parameters should also be documented (size, contents, timestamps, ownership and permissions).

Original permissions and ownership should always be preserved.

Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

Tools: dd, clonezilla, memdump, Paragon backup&recovery Ftk imager, EnCase etc.

(in some cases hardware copiers are needed)

The process of collecting the data should be recorded and registered (how we can access the data and how it was extracted, which tools

etc.)

Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

Indirect way: collecting data from other sources can be related to the original (ie. external routers, hosting servers)

Using additional tools to analyse and extract data (ie. monitoring the network, IDS, IPS)

Always use the copy, even the data is from other (indirect) sources.

The process of collecting the indirect data should be recorder and registered aswell.

Yes – we can use some techniques to access to the data if needed.With proper permissions we can also use cracking, hacking (ethical!)

and other such things.Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

Indirect way:

- network monitoring (from analysers, netflows, tcpdumps)- behavior analysis data (from UTMs, IPSs: logs, triggers,

events)- external connections (from other hosts)

Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

Memory dump:

Using memory dumping apps (Windows) such as DumpIt, using copy of pagefile.sys and hiberfil.sys (offline) as well as copies of minidumps (online

is possible)

Memory dump in Linux (Android) is not so easy.We can use standard /dev like /dev/mem, /dev/kmem or /dev/crash but they are

not always present (in the kernel).We can use fmem or LiME (Linux memory extractor) but they are LKMs which

should be installed into kernel. Sometimes hard to achieve.

We should use process listings, open files, status and more:ps aux, ps -elf, top, htop, netstat -a, lsof, ss...

The results should be copied to file(s)

Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

Disk copier

Mobile extractor

The best way is to provide offline copy and dump (device is „off”)But sometimes is not possible to do that way.

Marcin Kaczmarek, CISA

Digital evidence

How to collect the digital evidence

The other way to collect data is direct from-chip cabling or using JTAG interfaces.

(NAND memory, flash memory and microcontrollers)

All collected data are files,binary or text.

Marcin Kaczmarek, CISA

Digital evidence

Validity of the proof

The validity of the proof is not always simple to define precisely.

We should decide what is important and relevant regarding and according to the specific case(s).

Validity of the proof can be achieved through:

- properly defined relation with other evidence (not only digital) - signing the data (for integrity)- encryption (for confidentiality)

- copies, backups (for availability)- registered and recorded processing of the data

And always to remember: working on the 1:1 copies.

Digital evidence

How to protect digital evidence

Protection of the digital evidence:

- proper number of copies and backups- process recording and copies of the recordings

- proper storage parameters- encryption and hashing

- access control and management (time and network based)- management of the evidence (including records)

Marcin Kaczmarek, CISA

Digital evidence

Some tools and hints(opensource, free, mostly)

For disk and memory dumps: dd, dd_rescueFor data extraction from files,dumps: foremost, scalpelFor data analysis (especialy memory dumps): volatilityFor network data analysis: tcpdump, tcpflow,

wiresharkFor metadata extraction from media files: exiftool, metadata

extraction toolFor data extraction from disks, erased files: testdisk, photorecFor data extraction from binary files: strings, hexedit, xxdFor info about wireless: kismet

And of course set of grep, awk, emacs, vi and more...

((I prefer working with the console :)))

Digital evidence

Some tools and hints

1. Always mount the disks read-only !!!2. CCTV disk is just a kind of „streaming” device. No partition tables.3. Never „initialize the disk” from CCTV or satellite receiver. 4. Work on the copy of the original even when extraction. (1:1 copy)5. SSDs are not quite „hashable” due to specific construction. CRC and

hashes can be useless and can't be act as a proof.6. When collecting the data from „chip” or „direct device” always use

complete dump/backup

Marcin Kaczmarek, CISA

Digital evidence

Some tools and hints

1. For Android data collection we can use adb shell commands such as: shell backup, shell pull (copy contents), shell dumpsys, shell logcat

2. The basic commands are very useful – don't underestimate them.

3. We can use specific „forensic” versions of Linux C.A.I.N.E and Forensic Kali, with different tools (including Sleuth kit, maltego, autopsy... )

4. And of course we can use commercial software :))

Marcin Kaczmarek, CISA

Digital evidence

Problems with the digital evidence

1. Amount of data for analysis.2. Proper access to the system physically destroyed, encrypted (Apple vs FBI), damaged, locally unavailable3. Amount of trash-data – completely useless data which must be

checked.4. Limited time for analysis (decryption can take more...)5. Any amount of data can easily be erased indicentally or intentionally (that's why we use copies here).6. There are more additional data which can be important, and no one get full access to them. So there is a need to cooperate with lawyers.(of course you can do some blackhacking but this is dangerous)

Marcin Kaczmarek, CISA

Some demos, case studies

Exiftool

Foremost

Testdisk, photorec

Marcin Kaczmarek, CISA

Not only FAQ

Not only Frequently Asked

Questions

(NoFAQ)

Marcin Kaczmarek, CISA

Digital evidence

Thank You

Marcin Kaczmarek, CISAZBI WCSS Politechnika Wrocławska

https://zbi.wcss.pl https://csirt.wcss.pl