Digital Forensics The by habibix


Security, computer, wireless, protection,

More Info
									                                                                        The Morning Calm - Mar 24, 2003                         The Bush Bill
                                   Digital                                An investigation revealed that a dependant             Sep 6, 2004
                                   Forensics                              scanned his military ID card, altered the date of
                                                                          birth and printed it from an off-post computer. The
                                                                          dependant then laminated his ID card and used it       Accepted at
                                                                          to gain access to an off-post drinking                 Food Lion in
                                                                          establishment. Further investigation revealed that     North Carolina
  Finding information                                                     the dependant provided two other underage
     that has been                                                                                                               for $150 of
                                                                          dependants with scanned ID cards with altered
        lost...                                                           dates of birth. This incident remains under            groceries.
                                                                          investigation by Criminal Investigation Division.      Cashier gave $50 change. Another man
              BJ Gleason                                                                                                         arrested for using bills later.

                                                                        Korea Times, May 31, 2004

In The News                                                             In the News
Toronto police find hotel where                                         Police Hope photo of
child-porn pictures taken                                               possible witness leads
Fri, 04 Feb 2005 19:47:04 EST
                                                                        to child porn victim.
CBC News

TORONTO - Tips from people living in
                                                                                                                                         Case Study
the Toronto area have led investigators
to a hotel in the southern United States
where pornographic photos of an
unidentified child were taken.
                                                                                                                                     The CSI Effect
One of the altered pictures police used
to identify the U.S. hotel. The photos
have been widely distributed on the internet by pedophiles.

On Thursday, Toronto Police released copies with the victim digitally
removed, in hopes that someone could tell them who the victim is and
where the crimes took place.
The CSI Effect                            Biggest problems
 Serious concerns that the                  Wearing too many hats
 general public (who                        Obvious clues
 comprise the juries) are
 learning bad science from
                                            Unrealistically quick results
                                            Complete databases
                                                                                               Case Study
 TV shows like CSI. They                    Abuse of civil rights
 often have unrealistic ideas of what       Obvious motives ignored
 criminal science can deliver.              Questionable technology                      The Bush Memos
                                             Unlimited zoom on surveillance videos
  FBI believe that CSI is educating
  criminals in how to leave a "squeaky     Remember: It's entertainment, not
  clean" crime scene.                       science.

               60 Minutes II              The Memo                                   The problems
                 September 8, 2004
                                                                                      "from 187th in"
                 CBS produced 32-year-                                                   Typewriters in 1973 didn't have
                 old memos detailing                                                     superscripts.
                 President Bush's
                 National Guard Duty.                                                 Proportional Fonts
                                                                                        Most typewriters in 1973 used fixed
  CBS said its experts who examined the                                                 fonts. Proportional not widely used,
  documents concluded that they were                                                    and probably not in the military.

The Word Document                         Both Documents Superimposed                Results
                                           The BTK Killer                                Going Hi-Tech
                                            Was a serial killer who murdered at least     BTK asked the police that if he put his
                                            ten people in and around Wichita,             writings onto a floppy disk if the disk
          Case Study                        Kansas, between 1974 and 1991. He
                                            called himself the BTK killer, which
                                                                                          could be traced or not. He received his
                                                                                          answer in a newspaper ad posted in the
                                            stands for Bind, Torture, and Kill.           Wichita Eagle saying it would be OK.
                                            Letters were written soon after the
      The BTK Killer                        killings to police and to local news          On Feb. 16, 2005
                                            outlets, boasting of the crimes and           he sent a message
                                            knowledge of details. After a long hiatus,    to Wichita's Fox
                                            these letters resumed in 2004.                affiliate on a floppy

Examining the Disk                         On the Disk                                   Examining the
                                            A forensic examination showed a valid        File
                                            file titled 'Test A.RTF.' The document
                                            stated:                                       The metadata for
                                                                                          the document.
                                             “This is a test. See 3X5 Card for details
                                             on Communication with me in the              "Christ Lutheran
                                             newspaper."                                  Church"
 Previous versions, other deleted files.
                                             The index card included instructions for
                                             future communications through the
                                             classified ads.

More Clues on the                          And a Quick Internet Search Later...          Caught
Disk                                                                                      Obtained Rader's daughter's DNA
                                                                                          sample to compare with samples found
 Saved by                                                                                 on victims - familial match.
                                                                                          Rader arrested on Feb 25th, confessed
                                                                                          on the 26th. On Aug 18th,
                                                                                          he was sentenced to ten
                                                                                          consecutive life terms,
                                                                                          which requires a minimum
                                                                                          of 175 years without a
                                                                                          chance of parole.
                                           Applying Forensic Science to PCs        Authorization and Preparation

                                            Authorization and Preparation           Search must not violate any laws or give
      Introduction to                       Identification
                                            Documentation, Collection (Seizure),
                                                                                    rise to liability

                                              and Preservation                      Employees
                                            Examination and Analysis                 Obtain written authorization
     Digital Forensics                      Reconstruction
                                            Reporting Results                       Law Enforcement
                                                                                      Search Warrants

Identification                             Crime Scene                             Example: Evidence in Printers

  Determine what devices contain digital                                            If the printer uses a ribbon, it may
  evidence                                                                          contain clues as to what was printed.

  Determine what data is relevant                                                              Casio CW-50 Thermal CD
  How do we collect and preserve it?

                                                                                                  Ribbon from printer

Examining the Ribbon                       Next Steps                              Your Shovel - Helix

                                            Collecting                              Incident
                                            Preserving                                Response
                                            Reconstructing                          Electronic
                                            Evidence from a Crime
                                             Where a computer was used              Computer
                                            Digging Deep for Clues...
Helix                                       Helix CD                                Main Menu
 700 Meg Download
 Auto Runs in Windows
    Portable Forensic Workstation
    Live System Preview
    Many Forensic Tools
 Bootable Linux Environment
 New Version Available in 2 weeks
 Expanded Manual under development

 Price: Free!

The Tools                                   Incident Response Tools                 Photo Search
                                              Windows Forensic Toolchest
 Preview system
 Acquire Disk Images                         Save to Floppy / Network Drive / USB
 Check for Root Kits
 File MD5                                    We will save it to D:\wft
 File Recovery                                Options: Yes, Yes, Yes
 Documentation                                Rootkit: Scan, Save as
 Photo Search                                   D:\wft\txt\rootkit.txt

 Only operates at current user level         Open D:\wft\index.html

Problems with previewing a live system                                              Examining a Disk - FTK Imager
  Everything you do modifies the system.                                             Page / Acquire / FTK Imager
                                                  Forensic Demo                        Start Imager
 Every time you access a file, you update
 the access time of the file. Even
 opening MS office documents, without
 saving them, modifies their internal
                                                 Recovering Data
                                                   from Disks
 Be very careful, or you can contaminate
 the crime scene.
Let's Start with a blank floppy               Wipe                                           Disks
  Start with clean Floppy                      This program will do a secure wipe.
                                                 3 passes: FF, Random, 00                      Deleted File only marked
  Copy accountinfo.txt to A:                                                                    Data Still there
                                               Page / Incident Response / Misc Tools
  Overwrite it                                  Command Shell                                  Overwritten files
                                                                                                If smaller, segments can still be there.
  Delete it                                      wipe \\.\a:

  Format it (Quick)                            To use disk again, need to format it.

Slack Space                                   Wiping Drives                                  Erasing Hard Drives - Step 1
  A single file occupies a single sector or
    a single cluster                           With all the problems we had deleting
                                               file from the disk, this program will do it
  Slack space can contain left over bits       for us.
    from other files.
                                               Delete Files
                                               Wipe Free Space, Slack Space, Swap

                                               Wipe Drive - DOS utility Wipe HD
                                               BC Wipe - Windows Utility

Erasing Hard Drives - Step 2                                                                 Case - Examining a Disk
                                                                                              You have been contacted by the police.
                                                                                              They had raided the home of a
                                                           Case #1                            suspected drug dealer, and as they
                                                                                              entered with a no-knock warrant, the
                                                                                              dealer grabbed his laptop and fled.
                                                                                              They caught him several blocks later,
                                                     The Blank Disk                           but the laptop was gone. The only thing
                                                                                              the police were able to find was a floppy
                                                                                              disk in the garbage that appears blank.
                                                                                              They have asked you to examine it.
Process                                   Message Digests                             MD5 Demo

 Write Protect Floppy                      Calculates a checksum for a file
 Preview Floppy
 Duplicate Floppy                          Should be unique
 Examine with Forensic Tools
 Recover Data                              A single character change will alter the
 Reconstruct Evidence                      checksum
 Explain to the court
                                           MD5 - generates 32 digit number

Reconstruction                                                                        Try It...
                                                                                        Accent OFFICE Password Recovery
 Rebuilding deleted, damaged, hidden or                                                 D:\Class Materials\locked.doc
 encrypted evidence.                             Forensic Demo                            Step 1: No - Brute Force
                                                                                          Step 2: Next
                                                                                          Step 3: No - Brute Force
 Slack space in files
                                                                                          Step 4: Next
 Virtual memory files
 Cracking encrypted files                   Cracking Passwords                            Step 5: Next

 Reconstructing the crime                                                               What is the password?
  who, when, where, how, why                                                            What is the content?

                                          Sample Case - Previewing Systems            What to do
                                           You are the system administrator for a
                                           small company.                               Since we can't see anything from the
            Case #2                        Several employees have complained to
                                                                                        Windows side, let's use the Bootable
                                                                                        Helix tool.
                                           your boss that Mr. Badguy has
                                           pornography on his work computer.            This will allow us to bypass Windows
       Company Porn                                                                     Security.
                                           You are asked to check his account.
Linux Side

             Questions?   End of Presentation

To top