Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov

© 2009 Property of JurInnov Ltd. All Rights Reserved

Computer Forensics First Responder Training

August 28-30, 2012

Timothy M. Opsitnick, Esq.Senior Partner and General CounselJurInnov Ltd.


John G. Liptak, ACE, EnCESenior ConsultantComputer Forensic and Investigation Services

Eric A. Vanderburg, MBA, CISSP Director, Information Systems and SecurityComputer Forensic and Investigation Services


Who Are We?

JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Electronic Discovery– Computer Forensics– Document and Case Management– Computer & Network Security

2


Presentation Overview

• Understanding Computing Environments

• Collecting Electronically Stored Information

• Forensic Analysis Demonstration• Types of Cases When Forensics Are

Useful

3


What is Computer Forensics?

Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.

4


Sources of “ESI”• Desktops• Laptops• CDs/DVDs• Network Attached

Storage Devices (NAS)

• Storage Area Networks (SAN)

• Servers• Databases• Backup Tapes

• E-Mail• Archives• Cell Phones/PDAs• Thumb Drives• Memory Cards• External Storage

Devices• Cameras• Printers• GPS Devices

5



Why Computer Forensics?

• Reasons to use Computer Forensics– Internal Company Investigations

• Alleged criminal activity• Civil or Regulatory Preservation

– Receivership, Bankruptcy– EEO issues– Improper use of company assets

– Recovery of Accidentally or Intentionally Deleted Data• Deleted is not necessarily deleted• Recovery from Improper shutdowns

6


How Does a Computer Operate?

• Hardware– Processor– Memory (RAM)– Hard Drive– CD/DVD Drive– Motherboard– Mouse/Keyboard

• Software– Operating System– Applications

7


How Does a Computer Operate?

• How is data stored on a hard drive?

• How is data “deleted” by the operating system?

8

© 2012 Property of JurInnov Ltd. All Rights Reserved9

© 2012 Property of JurInnov Ltd. All Rights Reserved10


Collecting “ESI”• Windows Copy

• Ghost Copy/Images

• Forensic Images

11


Collecting “ESI”

• Forensic Harvesting - Logical v Physical– Logical copy (Active Files)

• Data that is visible via the O.S.– Physical

• Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)

12


First Response• First Steps Taken

– Identify users/custodians, electronic devices and begin Chain of Custody

– Photograph and document full environment and condition/state of devices

– Determine next steps depending on device(s) and situation

13


Acquisition (Data Harvest)• Equipment and Tools

– Write Blockers– Camera– Forensically wiped hard drives– Screw Drivers– Anti-static bags– Power Strips and extension cords– Blank CDs and DVDs / USB Flash Drives– SD Card / Micro Card Reader– Fans for cooling drives during imaging

14


Acquisition (Data Harvest)• Software Tools

– EnCase (Guidance Software)– Forensic Tool Kit (AccessData)– Mobile Phone Examiner (AccessData)– Device Seizure (Paraben)– Raptor (Forward Discovery)– Internet Evidence Finder (Magnet

Forensics)• Hardware Tools

– Write Blockers (Tableau)– CellDEK (Logicube)

15


Types of Data Acquisitions• Image Types

– EnCase Image (.E01)– Logical EnCase Image (.L01)– DD Image (.001)– Custom Content Image (.AD1)

• ESI Locations– Hard Drives– Servers

• Email• Network Shares

– Cell Phone/PDA– External Media

16


Computer Imaging• Photograph, document and begin Chain of

Custody• Acquire live RAM (if possible/necessary)• Shut down computer

– Pull plug (Windows/Mac)– Properly shut down (Server/Linux/Unix)

• Determine imaging method and format– Write Blocker– Boot Disk

• USB / eSata / FireWire• Crossover Cable

17


Computer Imaging• Imaging Process

– Set segment size, type of image, name and compression

– Create forensic image utilizing selected method– Verify Image Hash Value

• Check BIOS clock and document date/time– Make note of any differences from actual date/time

• Re-Install hard drive if removed and verify that the computer boots to the OS

• Create “Work” drive of collected images– Connect Backup drive to a write blocker to ensure

no changes to the original data occurs

18


Device Imaging

19


Creating a “Work” drive

20


Image Verification• Presentation Suspect Images• Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512• Starting Extent: 1S0• Name: Presentation Suspect Images• Actual Date: 03/24/09 03:17:21PM• Target Date: 03/24/09 03:17:21PM• File Path: E:\Presentation image.E01• Case Number: Presentation Drive• Evidence Number: Presentation Suspect Images• Examiner Name: Stephen W. St.Pierre• Drive Type: Fixed• File Integrity: Completely Verified, 0 Errors

• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1• GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j• System Version: Windows 2003 Server• Total Size: 20,020,396,032 bytes (18.6GB)• Total Sectors: 39,102,336

21


Work Images• Creating Work copy of original Backup

Image– Evidence Mover Log:

03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01 Destination file: G:\Evidence\Presentation image.E01.

Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678


Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842


Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917

22


USB Thumb Drive Acquisition• Photograph, document and begin Chain of

Custody• Determine imaging method and format

– Hardware write blocker– Software Registry Write Block

• Imaging Process– Create forensic image utilizing selected method– Verify image(s) hash value

23


Network Data Collection• Photograph and document• Coordinate with IT to determine location of

desired shares/folders• Obtain proper credentials to access target data• Attach forensically wiped hard drive to server or

workstation with local network access• Run FTK Imager Lite from attached hard drive• Create Custom Content Image (.AD1) of target

shares/folders• Verify image MD5 hash value

24


Network Data AD1 Image

25

Add Contents of a Folder

Add To Custom Content Image (AD1)


Network Data AD1 Image

26

Create Custom Content Image

Verify Hash Value of AD1


Microsoft Exchange Collection• Photograph and document• Stop Microsoft Exchange services• Attach forensically wiped hard drive to Exchange

server• Run FTK Imager Lite from attached hard drive• Create Custom Content Image (.AD1) of Exchange

.EDB files• Verify image MD5 hash values• Restart all Microsoft Exchange services

27


Microsoft Exchange Cont.• Select Mailbox Collection

– Exchange 2003• ExMerge

– Exchange 2007 & 2010• Command Line/Power Shell

28


Registry Overview• Windows Registry – central database of the

configuration data for the OS and applications.• Gold Mine of forensic evidence• Registry Keys

– Software– System– SAM (Security Account Manager)– NTUSER.dat

29


Software Key

• What Operating System Installed?• Date/Time OS Installed• Product ID For Installed OS• Installed software• Programs That Run Automatically at Startup

(Place to Hide Virus)• User Profiles

30


System Key

• Mounted Devices• Computer Name• USB Plugged-In Devices (USBSTOR)• Last System SHUT DOWN Time• Time Zone

31


SAM & NTUSER.DAT Keys• SAM

– Domain Accounts

• NTUSER.DAT– Network Assigned Drive Letters– Last Clean Shutdown Date/Time– Recent Documents– Program settings

32


Forensic Analysis• Registry Analysis

– OS Install date/time– Installed Software– Startup programs– Time Zone settings– Last Shutdown time– User information / Accounts– Recently opened files– Connected USB Devices– Mounted Drives– Recently used programs

33


Registry – OS Install Date

34


Registry – Installed Software

35


Registry – Startup Programs

36


Registry – Time Zone Settings

37


Registry – Last Shutdown Time

38


Registry – User Info/Accounts

39


Registry – User Info/Accounts

40


Registry – Recently Opened

41


Registry – USB Devices

42


Registry – Mounted Drives

43


Registry – Recent Programs

44


Forensic Analysis• USB / External HDD Analysis

– Serial Number– Volume Serial Number– Model– First Connected– Last Connected– Friendly Name– User who connected drive– .LNK Files

45


USB/External HDD Analysis

46


Forensic Analysis• Internet History

– Default internet browser– Sites visited and frequency– Date and time of last visit

• Recent Folder– Recently accessed files/programs

• My Documents / User Folder(s)– Usually where most user created data is located

47


Internet History Analysis

48


Internet History Analysis

49


Forensic Analysis• Deletion

– Recycle Bin• Examine INFO2 records if file was sent to the recycle

bin– Contains the date & time the file was sent to the

recycle bin– Shows where the file resided before being sent to the

recycle bin

– Data Carving– Evidence of wiping or wiping software

• Hex Editor sometimes helps to see wiping pattern if one exists

– Example recovery of deleted document…..

50


“deleted.txt” exists on a disk

51


The file has been deleted

52


The directory listing…

53

Note the sigma character


Is the data really gone???

54


Sigma changed to Underscore

55


Hey … it’s back!

56


VOILA…

57

© 2009 Property of JurInnov Ltd. All Rights Reserved© 2012 Property of JurInnov Ltd. All Rights Reserved

Deleted & Overwritten File


Recycle Bin Info Record Finder

• These files were recovered by searching for recycle bin header signatures in unallocated and slack space. These records represent files that were contained in the recycle bin before it was emptied.

• Info records for file:• Demo case\Revised demo images\C\RECYCLER\S-1-5-21-1229272821-1592454029-839522115-

1003\INFO2

• Index : 2• Deleted : 11/06/07 03:30:54PM• FileSize : 20480 bytes (20 KB)• FilePath : C:\Documents and Settings\Demo\My Documents\ABC Sports Agency - Deleted\Rec• ycle Bin - ABC Balance Sheet.xls• Offset : 820

• Index : 2• Deleted : 11/06/07 10:30:54AM• FileSize : 20480 bytes (20 KB)• FilePath : C:\Documents and Settings\Demo\My Documents\ABC Sports Agency - Deleted\Rec• ycle Bin - ABC Balance Sheet.xls• Offset : 1080


Forensic Analysis• File Signature Analysis• File Hash Analysis

• Analysis Examples …

60


Signature Analysis


Signature Analysis


Signature Analysis


Hash Analysis


Forensic Analysis

• Key Term Searching– Index full contents of the image for searching– Tips for this method

• File Filtering– Date ranges– File type(s)– Duplicates– Known Files (KFF)– Even combinations of multiple filters

65


Forensic Analysis

• Email Activity

• Printing Activity– Look for printing spool/shadow files

• Can possibly contain the data that was sent to a printer

• Network Activity• Network connections• Wireless access points• Shared network folders/files

66


Forensic Analysis

• Hiberfil.sys Analysis– Data is written to “hiberfil.sys” file when a machine

is put in hibernation mode on the Windows OS• Usually recent data

– May contain passwords, login information, temporary data, whole or partial documents

• RAM Analysis– Can only be acquired on a live system

• Analyst will change data on the system– May contain passwords, login information,

temporary data, whole or partial documents, currently running processes

67


Forensic Analysis

• Unallocated Space– Partial documents– Overwritten files

• Drive Free Space

• File Slack

68


Mobile Device Acquisition• Photograph, document and begin Chain of

Custody• Obtain password if enabled• Obtain charger and maintain power to the device• Cut off network communications

– Faraday bag or Airplane Mode• Determine acquisition/data extraction method

– Device• CellDek• Device Seizure• MPE+

– SIM Card – CellDek, Device Seizure or MPE+– Media/SD Card - EnCase

69


Mobile Device Analysis

• Not to be considered an “Image”– Extraction of artifacts from device’s databases

• Some Items That Can Be Acquired– SMS/MMS– Email– Contacts– Calendar

• Searching– Able to search within the device’s extracted data

for key terms. – Bookmark items that are relevant to the case

70


Mobile Device Analysis

• Reporting– Tools include report generators

• HTML• CSV / XLS• PDF

– Include ALL items or only Bookmarked items• Helps to limit amount of irrelevant data in the reports

71


Evidence/Analysis Reporting• Native File Exports

– Provide files in native format on CD, DVD or External HDD

– Allows client to view the files as the custodian did– Keeps metadata intact

• Metadata Report– Excel spreadsheet containing all the metadata of

the native file export– Easy way to look through and sort the files in one

place

72


Evidence/Analysis Reporting• Detailed Forensic Report

– Report done throughout and after every case– Details all work done by forensic analysts from

beginning to end• HTML Based Reports

– FTK, Device Seizure, CellDEK, Internet Evidence Finder

– Simple report in web format for easy viewing• Final Expert Report

– Completed & signed version of the detailed forensic report

• Expert Testimony– Analysts will provide expert testimony in court if

required. 73


For assistance or additional information

• Phone: 216-664-1100• Web: www.jurinnov.com• Email: [email protected]

[email protected]@jurinnov.com

JurInnov Ltd.The Idea Center

1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115

74

Technology

Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov