Forensic Overview by F45J2n6

VIEWS: 0 PAGES: 77

									Forensic Overview
 10:45-11:45 AM
 Jeffrey Savoy, CISSP GIAC EnCE
 Information Security Officer
 University of Wisconsin Madison
Road Map:

    • Background

    • Digital Preservation

    • Digital Analysis
Background:
Definitions:

      Digital Investigation
            Answer questions about digital events

      Digital Forensic Investigation
            Answer questions about digital events
            so the results are admissible in court
Background:

Sample forensic considerations:

         • Chain-of-Custody
         • Prevent cross contamination during exam
         • Wide acceptance of investigative techniques?
         • Can the findings be duplicated?
Background:

 Examples of digital investigation cases:

    • Electronic harassment (google, email, etc)
    • Fraud (spreadsheets, etc)
    • Illegal pornography
    • Stolen computer recovery
        Assist in identifying owner
    • Hacking (software)
-> Media Acquisition
-> Media Acquisition




-> Answer questions
-> Media Acquisition




-> Answer questions




-> Ensure answers are correct to
the extent possible
  Digital Investigation Tools:

     A wide variety of tools exist and may operate
     at one of more levels of the investigative
     process, eg Preservation + Analysis


Forensic Tool Kit (FTK)      P/A $1,000

Guidance Software Encase     P/A $1,500

dd & The Sleuth Kit          P/A Open Source
                                     *Approximate; plugs-ins, etc
Evidence Preservation

   Sample guidelines :

      • Preserve original evidence and work on copy
        of data
      • Digital data is fragile, obtain with minimal
        disturbance
      • Results should be repeatable
      • Take good notes!
Evidence Preservation


     • Traditionally obtain an exact copy of data on
     media that survives at power down
        Higher level of certainty

     • Possibly capture the state of a live system
        Lower level of certainly due to side effects
        but may lead to more understanding
Evidence Preservation:
    Where is the evidence?

              •   Hard drives
              •   USB Thumb drives
              •   CDROMs
              •   Floppy diskettes
              •   Palm Pilot
              •   Memory
Evidence Preservation:
Implement media write blockers during acquisition:

   • Prevent changes to evidence
   • Sit between forensic machine and media
          • SCSI, sATA, IDE, etc
Evidence Preservation:
    Write Blocker Kit
            “Ultimate Write Blocker Kit”
                    Full kit approximately $1,800
Evidence Preservation:
                                     Write Blocker




  Implement write blocker bridges:

     firewire/usb -> IDE




                                     Suspect Hard
                                        Drive
Evidence Preservation:

 Implement write blocker bridges:

    firewire/usb -> USB
Evidence Preservation:

Switches can be set
to allow for writes

Can be useful in some cases
(after preservation stage)

Remember to always confirm
Write protection ON.
Evidence Preservation:
  Network Acquisition:

     • Prevent writes to evidence
     • Sometimes best option, eg RAID array
Evidence Preservation:


Raw image
      Only data from the source media
             Example: dd
Embedded image
      Includes additional descriptive data, eg hash values,
      case notes, etc
             Example: Encase evidence file

Review examples…
Evidence Preservation:

dd
     Native to Unix/Linux
            Available for Windows

     Copies chunks of data from one file
     and writes it to another. Only knows
     about files and not file systems, disks,
     etc.
Evidence Preservation:

dd examples:

Create an image of hard drive:

        dd if=/dev/hda bs=2k of=raw.img

Calculate md5 checksum of drive:

        dd if=/dev/hda bs=2k | md5sum

Preserve memory in Windows:

        dd if=\\.\physicalmemory of=c:memory.dd bs=47
                  \\.\ windows way to accessing device file
Evidence Preservation:
  Encase example:




Highlights:
   • File segment size
   • Compression
Evidence Preservation:
Compare the acquisition hash:

To manually calculated hash at any time:




Values agree ->
Evidence Preservation:

Quick review:

      Acquire media with hardware write
      blockers.

      Examples of dd and Encase



Move to Evidence Analysis…
Evidence Analysis:
Evidence Analysis:
Evidence Analysis:
Evidence Analysis:

  Quick Definitions:

        Sectors Clusters
        MBR
        Allocated vs Unallocated Clusters
        File Slack
Evidence Analysis:

 Sectors and Clusters

       Sectors: The smallest addressable unit on a
             hard drive, typically 512 bytes

       Clusters: The smallest allocation unit by the
             operating system made up of groups
             of sectors
Evidence Analysis:
 Master Boot Record (MBR)

       In PCs boot code exists in first 446 bytes
       of the first sector.

       The last bytes contain information on the
       first four partitions.

       Boot process gets code from the MBR and then
       looks for the first bootable partition location
       and find additional boot code from there.
Evidence Analysis:
 Allocated vs Unallocated Space

       File systems like FAT/NTFS reserve
       clusters for use. As fill with files, the
       clusters become allocated.

       As files are removed, the clusters become
       unallocated and again available for use by
       the file system.

       Thus, unallocated space may contain useful
       information in an investigation.
Evidence Analysis:

File Slack: The file system pre-allocates space for
individual files (clusters). If a file does not occupy
the full space, the end is “slack”. This slack may
contain information from the previous file.

Similar to recording an hour length show on VHS tape
and overwriting with an 30 min show.

Note that File Slack is allocated space.
Evidence Analysis:
Encase displays file slack as red text:




      May find tidbits…
Evidence Analysis:
  Encase view of sample PC media
       Note: MBR, Allocated/Unallocated clusters
Evidence Analysis:
Encase view of Sector 0 containing the MBR
Evidence Analysis:
  We can “sweep” 64 bytes on sector offset 446 to
  manually confirm the partition information
Evidence Analysis:
 Use Encase “Bookmark” to translate to the partition
 information.


                                  Type:


                                  Status: 80 is the
                                  bootable partition
                                  -in this case the
                                  NTFS partition
Evidence Analysis:
  Encase “report” view of same disk confirms the
  information.
Evidence Analysis:
What happens if the partition table is gone
(on purpose or otherwise)?

The Encase view:




  Note that no logical volumes shown (C: D:) and all
  gray clusters
Evidence Analysis:
   Search for common beginnings of partitions starting
   at sector 63
          MSWIN4.0 -> Windows 98 FAT
          MSWIN5.0 -> Windows 2000, XP FAT
          NTFS -> Windows NTFS
Evidence Analysis:
 Now inform Encase that we believe that this location
 contains a NTFS partition
Evidence Analysis:




 The volume now appears ->

 Can save to Encase “case”
 to retained after shut down.
Evidence Analysis:
 In reviewing files, Encase provides the below gui:




  Note ability to sort columns and files listed out
Evidence Analysis:
Encase GUI provides the ability to filter:
  • Used to view files based on supplied criteria
  • Can be used to reduce many thousands of files to
     more manageable level




         Example of listing only Word docs
Evidence Analysis:
 Searches:
       Major activity in many investigations
       Decide on text terms or patterns
Evidence Analysis:
When doing text/pattern searches
usually also run:

• File signature verification
         Review file headers
• Hash computation
         Compute hashes
         on all files

Review both in moment…
Evidence Analysis:

 Search hits displayed along with their locations on
 the media:




        Note keyword hits in unallocated clusters
Evidence Analysis:
File Signature verification:

     Encase can compare each file header to library
     of over 220 unique known signatures in order
     to determine file type, eg .doc, .jpg, etc




                How is this useful?
Evidence Analysis:
 Case one:
     A file header matches a known value but the
     extension does not match

     Can assist in finding files with changed extensions
     For example renaming a .jpg file with a .txt
     extension:




     Can do for every file and quick sort to search
     for inconsistencies
Evidence Analysis:
 Case two:
   A file header matches a known value but the
   file does not have an extension
   Encase will act consistent with header when
   file is double clicked, eg launch Excel for
   a file matching Excel header
   Encase will act consistent with header when
   file is viewed, eg Gallery view will display
   pictures even though no extensions
           Useful for file systems with Macintosh
           HFS file system
Evidence Analysis:
Hash computation:

      Calculate the MD5 hash of every file
Evidence Analysis:
Hash computation:

    Uses:

    • Find specific file
        Third party may provide hashes to search
           Malware, illegal images, etc
    • Filter known files
        Faster searches! Example…
Evidence Analysis:
  Import NIST known OS md5 hashes
  available on their web site
Evidence Analysis:
 Encase now indicates “*known” files (* used for
 sorting purposes):
Evidence Analysis:
  Now use an Encase Filter to remove these files
  from view and searches:




 In this case, reduced 21,088 files to 14,787
        30% less files to search!
Evidence Analysis:
 Data Carving within Encase

    Can matching headers/footers/file size/etc
    and search through unallocated space and “carve”
    out file and save to forensic machine for review
           Commonly search for jpegs, html, etc

    Since searching through unallocated space, the
    files found may not be compete

    Encase provides EnScript to do (similar to C++)
Evidence Analysis:
 Run EnScript:
Evidence Analysis:



Carve out any found
jpegs in the unallocated
clusters

Likely include incomplete
jpegs since may have been
overwritten
Evidence Analysis:
   Recovery of deleted files:
Evidence Analysis:
   Example of wiping files in software:
          Encrypt existing folder using Microsoft Encrypting File
          System (EFS). Note TMP artifact left after conversion




    Use the cipher command to wipe directory:




    Result:
Evidence Analysis:

     Recycle Bin:
          Windows 98, NT, 2000, XP

     The default process when a file is moved to the
     Recycling bin.
           1. New file entry in Recycle Bin
           2. Additional about the file in a hidden
           system file named INFO2
                  Most important can be the
                  delete date and time
Evidence Analysis:


  Each INFO2 record 800 bytes

  When the file is deleted, the file is remove as
  well as the corresponding INFO2 record both of
  which may be recoverable

                 Example..
Evidence Analysis:
  INFO2 file found in the recycler bin:



  Can sweep 800 bytes:




  Bookmark to display information:
Evidence Analysis:


  Encase allows the ability to export the acquired
  files as a windows share on forensic machine.

        How may this be useful?
Evidence Analysis:

  This is useful to allow third party tools to analyze
  the export share of suspect files

  Examples…
Evidence Analysis:
        Virus Checking of suspect drive:
Evidence Analysis:
 Paraben Forensic Tools
       Email Examiner:
Evidence Analysis:
Evidence Analysis:
Evidence Analysis:
 Windows Artifacts:
  Documents and Settings/USER/
      Recent/: Recently accessed files, programs, etc
      Stored at this location as link files.




  Print spooler
         Past printouts written to disk
         Search for EMF files in unallocated space
Evidence Analysis:
 View web cache:




 View browser history:
Event reconstruction:

    • Restoring evidence
       Export programs to run on forensic machine

    • Boot into suspects drive
       Commonly use VMware
Event reconstruction:

Encase allows acquired files to be
exported as a physical disk
Event reconstruction:
 VMware can use Encase embedded image directly and
 allow virtually booting into suspect drive:
Event reconstruction:

 Use software to reset password to allow access:
Questions?
Resources:


 Windows Forensics and Incident Recovery, Carvey
 File System Forensic Anaylsis, Carrier
 Forensic Discovery, Farmer, Venema

 Windows dd http://users.erols.com/gmgarner/forensics
 Encase http://www.guidancesoftware.com
 FTK http://www.accessdata.com/Product04_Overview.htm?ProductNum=04
 Ultimate Write Blocker Kit http://www.forensicpc.com/products.asp?cat=13
 NIST Hashes http://www.nsrl.nist.gov/Downloads.htm
 The Sleuth Kit (TSK) http://www.sleuthkit.org/

 Paraben Software www.paraben-forensics.com

								
To top