CSCD 496 Computer Forensics

Document Sample
CSCD 496 Computer Forensics Powered By Docstoc
					   CSCD 496
Computer Forensics
          Lecture 6
Tools for Computer Forensics
         Winter 2010

                               1
                Introduction
• A successful Computer Forensics
  investigator
  – Must have a lot of tools!
  – Think of tools like Batman Utility Belt
  – James Bond special devices
• While you won't be sticking to walls ...



                                              2
                 Introduction
• Computer Security similar to Digital
  Forensics
  – Need knowledge of OS's, networks, software
    vulnerabilities, defense types of software
     • Firewalls, virus software, Intrusion detection
• Digital Forensics differs
  – Evidence is the focus, not preventing
    compromise
  – Specialized tools become critical to collecting
    and preserving evidence                         3
         Goal of Having Tools
• Prior to Investing Time/Money in Tool(s)‫‏‬
  – Ask: What will the tool do for me?
     • Automated features – Save time
     • Allow examination of new file systems
     • Vendor reputation – increase confidence in results




                                                            4
              Types of Tools
• Two Main categories of tools
  – Hardware Tools
     • Range from simple single purpose components to
       complete forensics systems
  – Software Tools
     • Most common Windows and Linux OS based
     • Simple image makers to full featured programs
• Frequently use both in collecting and
  preserving evidence
                                                        5
Investigative Process Model
                                                  Persuasion and testimony
              Ends with testimony
                                           Reporting
                                   Analysis
                                                                      Tools
                                 Organization and Search

            Case         Reduction
    Management
                      Harvesting

                 Recovery                                 Tools

             Preservation

           Identification of seizure
         Incident/Crime scene protocols           Tools
       Assessment of worth

 Incident Alerts or accusation           Begins with Incident alert           6
               Type of Tools
• Hardware Tools
  – Complete investigative systems, Digital
    Forensics Workstation
    • Can put one together yourself
       – Suggestions in Chapters 2 and 3
    • Buy one ready made like the F.R.E.D. Forensic
      Recovery and Forensics Device
       – www.digitalintel.com
    • About $6000


                                                      7
           F.R.E.D. Information
• FORENSIC SYSTEMS

• “F.R.E.D.‫‏‬family‫‏‬of‫‏‬forensic‫‏‬workstations‫‏‬consists‫‏‬of‫‏‬
  integrated forensic processing platforms capable of
  handling‫‏‬most‫‏‬challenging‫‏‬computer‫‏‬case”

• F.R.E.D. professional forensic systems, and the Digital
  Intelligence UltraBay universal write protected imaging
  bay, deliver the ability to easily duplicate evidence
  directly from IDE/SCSI/SATA hard drives, floppies, CDs,
  DVDs, ZIP cartridges, 4MM DAT tapes and PC
  Card/Smartmedia/SD-MMC/Memory Stick/Compact


                                                            8
   Hardware Forensic Devices
• Write Blockers
  – Hardware
    • Device that intercepts data intended for the disk
    • Prevents writing that could alter data
    • Many types
       – IDE, SCSCI and SATA interfaces


    • Connect your evidence disk drive to your
      workstation and start OS as usual
    • Acts as a bridge between disk drive and forensic
      workstation
                                                          9
 Write Blocker Hardware
Implement media write blockers during
acquisition:

   Prevent changes to evidence
   Sit between forensic machine and media
          SCSI, SATA, IDE, etc




                                            10
   Hardware Forensic Devices
• Hardware Write Blocker
  – Windows drive appears as any other drive
  – Can access the drive to view files
  – Or use word to read files
  – When you copy data to blocked drive
    •   Shows copy was a success
    •   Write blocker actually discards the data
    •   Data is written to NULL
    •   When‫‏‬you‫‏‬look‫‏‬at‫‏‬disks,‫‏‬won’t‫‏‬see‫‏‬data‫‏‬or‫‏‬files‫‏‬you‫‏‬
        copied to it
                                                          11
UltraBlock-SATA
• Example – Digital Intelligence
  – http://www.digitalintelligence.com/products/ultrablock/

• The UltraBlock-SATA can be connected to your
  laptop or desktop using FireWire-A (400 Mb/s) or
  the FireWire-B (800 Mb/s) interfaces
• Like the UltraBlock-IDE, the UltraBlock-SATA is
  provided with write protection enabled by default
  – Is user configurable for Read-Only or Read-Write
    Operation.
  – Cost: UltraBlock – SATA        $ 199
  –                        SATA Kit $     281
                UltraBlock Scsi Kit $     446
                                                          12
                 Type of Tools
• Software Tools
  – Most common and numerous compared to hardware
  – Command line tools, GUI tools, Windows, Unix/Linux,
    OS specific tools
  – Today, look mostly at Windows tools
     • Later, cover Linux/Unix OS tools, mostly open
       source
  – One way to group tools is by investigative function
     • Can be grouped into five categories which map to tasks used
       in a computer investigation
  – Some of these tools specific to a single task
  – Others, full featured programs used across all tasks        13
  Tools by Investigative Tasks
• Tasks include
  1. Acquisition
  2. Validation and Discrimination
  3. Extraction
  4. Reconstruction
  5. Reporting




                                     14
                  Acquisition
• What is the goal of acquisition?
• Is obtaining the data from a crime scene
• First step in an investigation, typically
  – Make copy of the original disk drive
  – Preserve digital evidence
  – Two types of software acquisition
     • Physical copying of a disk – entire disk
     • Logical copying of a disk partition

                                                  15
                Acquisition
• Bit Stream copy
  – Bit-by-bit copy of the original storage medium
  – Exact duplicate
  – Example: dd command in Unix/Linux
  – Creates a file, called a Bit Stream Image file
  – Already covered this ...




                                                 16
 Acquisition - Image File
X-Ways Forensics




                            17
    Acquisition – Image File

Encase example




                               18
  Validation and Discrimination
• Validation of Data
  – Why do we do this?
  – Ensures integrity of data
  – Need this to prove guilt or innocence to legal
    system
  – Where we use hashes of original data and
    compare to copies of acquired data
  – Do this each time we access the copy
  – Most integrated forensics tools do this
    automatically for you                            19
    Validation and Discrimination
• Discrimination of Data
  – Sorting and Searching of Data
  – Purpose:
     • Separate‫“‏‬good”‫‏‬data‫‏‬from‫“‏‬suspicious”‫‏‬data
• Subfunctions of Validation and Discrimination
  – Hashing
  – Filtering
  – Analysis of File Headers

                                                     20
   Validation and Discrimination
• Hash Values of Known Files
  – Discriminate between known files and unknown
    files
  – Known list of good file hash values
  – Maintained by NIST at National Software
    Reference Library (NSRL)‫‏‬
    http://www.nsrl.nist.gov/Downloads.htm
  – Forensics Tools - import known good file hashes
    • Compare them to files on suspect drive

                                                 21
  Validation and Discrimination
• Analyze Header Values
  – Many programs include list of common file
    header values
  – Known file types have distinctive headers
  – Allow OS to determine file type
  – See whether file extension matches header
    value
  – Common to hide files by changing extension
    • jpg or gif becomes .txt
    • Header will disagree – shows up in tool    22
                    Extraction
• Most demanding task
• Recovery digital evidence
  – View data, keyword search, file carving, decryption

  – Tools below have Nice GUI, plus offer all of the above
    capabilities

  – FTK, EnCase, SMART, iLook, ProDiscover




                                                             23
                       Extraction
• Keyword Search
  – Allows you to search for keywords
    of interest

  When doing text/pattern searches
   usually also run:

     • File signature verification
        Review file headers
           Match with extension
     • Hash computation
        Compute hashes on all
           files

                                        24
                    Extraction
• File Signature verification

  Encase can compare each file header to library
  of over 220 unique known signatures
  to determine file type, eg .doc, .jpg, etc




                                               25
                       Extraction
 Case one:

  A file header matches a known value but the
  extension does not match

 Can assist in finding files with changed extension
 For example renaming a .jpg file with a .txt
 extension:




Can do for every file and quick sort to search
for inconsistencies                              26
                     Extraction
  Case two:
A file header matches a known value but the
file does not have an extension

Encase will act consistent with header when
file is double clicked,
e.g. launch Excel for file matching Excel header
Encase will act consistent with header when
file is viewed
e.g. Gallery view will display pictures even
    though no extensions

                                               27
                 Extraction
Hash computation
Calculate the MD5 hash of every file




                                       28
             Extraction
Import NIST known OS MD5 or SHA-
1 hashes available on their web site




                                       29
      Evidence Analysis
Encase now indicates “*known” files
(* used for sorting purposes)‫‏‬




                                      30
              Extraction
  Now use an Encase Filter to remove these
  files from view and searches:




In this case, reduced 21,085 files to 14,787
30% less files to search!
                                               31
                 Extraction
• Deconstruct file fragments
  – From deleted files
  – “Carving”‫‏‬name‫‏‬in‫‏‬the‫‏‬US
     • Locate file header information
     • Most tools also analyze unallocated areas of a
       disk drive or bit stream image file
     • Locate entire file structure of file fragments
       carved out and copied to a new file


                                                    32
                 Extraction
• Decryption
  – Encrypted data is a problem for forensics
    investigations
  – Files can be encrypted, entire disk or partition
  – Some tools produce list of words for password
    guessing of an encrypted area
  – Could possibly locate password in a
    temporary file on disk, if you are lucky!!
  – Can also run a brute force attack against the
    file
                                                  33
                Reconstruction
• Task of re-creating a suspect's disk drive
   – Don't always have to do this, depends
• Run suspect computer to show what happened
  during a crime
• Or, create an identical copy for other
  investigators
• Do a bit-by-bit copy to identical disk as suspect
  disk
• Disk technology changes pretty fast
   – Not likely to find identical drive and model
                                                      34
              Reconstruction
• Several ways to do this
  – Disk-to-disk copy
  – Image-to-disk copy
  – Partition-to-partition copy
  – Image-to-partition copy
• Hardware and Software tools
  – All of these tools adjust target disk geometry
     • Means if target disk differs from original suspect
       disk will map cylinders, sectors and tracks of
       original to target
     • Target Disk must be equal or larger in size 35
            Reconstruction
• Hardware Tools
  – Hardware is fastest
  – Logical Forensic SF-5000
  – Logical Forensic MD5
  – Image MaSSter Solo 2
• Software Tools
  – Safeback, SnapCopy plus others


                                     36
                  Reporting
• Many forensics tools also do reporting
  – Log Report
     • Produce a report of steps taken in an
       investigation
     • Good if need to repeat an investigation
         – Or, review steps taken
     • Peer review of the case
  – FTK, iLook, X-Ways Forensic, Encase,
    ProDiscover
     • Plus most others
                                                 37
  Validating and Testing Forensic Software

• NIST - National Institute of Standards and Technology
      • NIST‫‏‬sponsored‫‏‬a‫‏‬project‫‏‬called‫“‏‬Computer‫‏‬
        Forensics‫‏‬Tool‫‏‬Testing”‫(‏‬CFTT)‫‏‬
      • Why might you want to test these tools?




                                                          38
  Validating and Testing Forensic Software
• NIST - National Institute of Standards and Technology
      • Publishes articles, tools and procedures for testing
        and validating computer forensics software
      • Software should be verified so that there is greater
        confidence in digital evidence used in court

         http://www.cftt.nist.gov
             » Created a general approach for testing
               computer forensics tools
             » Criteria for testing is at the same site

      • MD5 and SHA-1Hashes of Known files
         http://www.nsrl.nist.gov/Library_Contents.htm


                                                          39
          Examples of Tools
• Disk that came with your Book has:
     • Technology Pathways ProDiscover Basic
     • Access Data Forensic Toolkit (FTK), Registry
       Viewer and FTK Imager
     • Runtime Software DiskExplorer for FAT, NTFS and
       HDHOST
     • X-Ways Forensics WinHex
  – Page xxiii in text has links to many other tools
  – For next assignment, you get to download
    tools, play with them ... fun, fun, fun !!!
                                                    40
                  Resources
• Resources for Tools
    E-Evidence List of Software Tools
    • http://www.e-evidence.info/vendors.html
    Open Source Forensics Tools: The Legal Argument
      Brian Carrier
    • http://www.digital-
      evidence.org/papers/opensrc_legal.pdf
        – Nice source of references and tool discussions
          for open source tools
    Evaluating Commercial Counter Forensics Tools
      Matthew Geiger
    • http://www.dfrws.org/2005/proceedings/geiger_coute
      rforensics.pdf                                     41
      Summary and Limitations
• Tools Are Critical to being a Computer Forensics
  Investigator!!!
• Better set of tools
     • More complete analysis of data
     • More types of analysis and data/computers can
       analyze
     • More confidence that data was handled correctly
     • Confidence in evidence increases
     • Important in court
• Tool Limitations
     • Encrypted data, can't help too much
                                                         42
     • Steganography
                References
– Nelson,‫‏‬Bill‫‏‬et‫‏‬al.‫“‏‬Guide‫‏‬to‫‏‬Computer‫‏‬
  Forensics‫‏‬Investigations”
  • Chapter 7




                                            43
                 Finish




– Check Web Site for Reading
– Assignment due today,
– Next Assignment on Friday !!!


                                  44

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:2/28/2012
language:
pages:44