Docstoc

FORENSICS

Document Sample
FORENSICS Powered By Docstoc
					    COMPUTER FORENSICS
              Aug. 11, 2000 for




              Cambridge, Massachusetts




tan@atstake.com
  COMPUTER FORENSICS CAN BE MANY THINGS

 Corporate or University      Child Pornography
  internal investigation       Fraud
 FBI or (unlikely) Sheriff    Espionage & Treason
  investigation                Corporate or University
 Computer Security             Policy Violation
  Research                     Honey-pots
 Post Mortem or Damage
  Assessment

 Computer Forensics ultimately support or refute a case
              someone cares to make.
         FORENSICS IS A FOUR STEP PROCESS

       Acquisition
       Identification
       Evaluation
       Presentation


RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC
Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt,
Federal Bureau of Investigation, Baltimore, Maryland (4/96)
  PRESENTATION – Starting at the End
 Many findings will not be
  evaluated to be worthy of
  presentation as evidence.
 Many findings will need to
  withstand rigorous
  examination by another
  expert witness.
 The evaluator of evidence
  may be expected to defend
  their methods of handling the
  evidence being presented.
 The Chain of Custody may be
  challenged.
  EVALUATION – What the Lawyers Do

 This is what lawyers (or those
  concerned with the case) do.
  Basically, determine
  relevance.
 Presentation of findings is
  key in this phase.
 Findings submitted for
  evaluation as evidence will
  not only be evaluated for
  content but for “chain of
  custody” problems.
    IDENTIFICATION – Technical Analysis

 Physical Context
 Logical Context
 Presentation/Use Context
 Opinion to support relevance of findings
 Handling and labeling of objects submitted for
  forensic analysis is key.
 Following a documented procedure is key.
  FBI List of Computer Forensic Services
 Content (what type of data)
 Comparison (against known
  data)
 Transaction (sequence)
 Extraction (of data)
 Deleted Data Files (recovery)
 Format Conversion
 Keyword Searching
 Password (decryption)
 Limited Source Code
  (analysis or compare)
 Storage Media (many types)
     THE EVIDENCE LOCKER
 Restricted Access and
  Low Traffic, Camera
  Monitored Storage.
 Video Surveillance &
  Long Play Video
  Recorders
 Baggies for screws and
  label everything!
 Sign In/Out for Chain of
  Custody
   ACQUISITION – What Are the Goals?

 Track or Observe a Live
  Intruder?
 Assess Extent of Live
  Intrusion?
 Preserve “Evidence” for
  Court?
 Close the Holes and Evict the
  Unwanted Guest?
 Support for Sheriff, State
  Police or FBI Arrest?
 Support for Court Ordered
  Subpoena?
    GROUND ZERO – WHAT TO DO
   do not start looking through files
   start a journal with the date and time, keep detailed notes
   unplug the system from the network if possible
   do not back the system up with dump or other backup utilities
   if possible without rebooting, make two byte by byte copies of the physical disk
   capture network info
   capture process listings and open files
   capture configuration information to disk and notes
   collate mail, DNS and other network service logs to support host data
   capture exhaustive external TCP and UDP port scans of the host
   contact security department or CERT/management/police or FBI
   if possible freeze the system such that the current memory, swap files, and even
    CPU registers are saved or documented
   short-term storage
   packaging/labeling
   shipping
      ADDITIONAL RESOURCES
   RCMP Article on the Forensic Process. http://www.rcmp-
    grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm
   Lance Spitzner’s Page: Forensic Analysis, Building Honeypots
    http://www.enteract.com/~lspitz/pubs.html
   Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix),
    Computer Forensic Class Handouts. http://www.fish.com/forensics/
   The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm
   Long Play Video Recorders. http://www.pimall.com/nais/vrec.html
   FBI Handbook of Forensic Services.
    http://www.fbi.gov/programs/lab/handbook/intro.htm
   Solaris Fingerprint Database for cryptographic comparison of system
    binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
   Inspecting Your Solaris System and Network Logs for Evidence of
    Intrusion. http://www.cert.org/security-
    improvement/implementations/i003.01.html
Thank you …

        … very much, MIT!