Docstoc

Audit Trails

Document Sample
Audit Trails Powered By Docstoc
					Properly Obtaining and
Securing Evidence in a
   Computer Crime
    Investigation
  Presented by Amelia Phillips
     CIS and Computer Science Departments
        Highline Community College, WA
       The Computing Investigation
                Triad
                                 Vulnerability Assessment and Risk
                                            Management




           Intrusion Detection                                   Computing Investigations




Amelia Phillips                     Highline Community College                       2
     What is Computer Forensics?


                  The application of forensic
                   science techniques to the
                   discovery, collection and
                  analysis of digital evidence.




Amelia Phillips          Highline Community College   3
                       Presentation
     Overview
     Digital Evidence
     Obtaining the Evidence
     Proper Procedures
           Cataloguing the scene
           Packaging and Transportation
     Forensics Tools
     Example Cases
     Demos


Amelia Phillips            Highline Community College   4
                  Digital Evidence?
    Hard drives
    Floppy disks
    Zip disks
    Jaz drives
    Tapes
    Digital cameras
    CDs
    DVDs
    PDAs
Amelia Phillips        Highline Community College   5
                  Digital Evidence (cont’d)
    Cell Phones
    Land phones –
     memory
    Answering machines
    Mini drives
    Thumb drives
    Web cams



Amelia Phillips           Highline Community College   6
                  The Trouble with Digital
                        Evidence
    It can be volatile
    Extremely fragile
    Easily corrupted




Amelia Phillips           Highline Community College   7
    What Computer Forensics is
              Not
    Network Forensics
    Just Data Recovery
          Some sleuthing involved
          Follow your hunch
    Finding information that is not there
          Digital archaeology




Amelia Phillips          Highline Community College   8
                     Legal Issues
    At one time - not considered tangible
     evidence
    4th Amendment
    Recent laws
          US Patriot Act
          Homeland Security
          HIPAA
          Sarbanes – Oxley
          Gramm-Leach-Bliley Act

Amelia Phillips         Highline Community College   9
                  Current Procedures
          Searching and Seizing Computers and
           Obtaining Electronic Evidence in Criminal
           Investigations
          Published July 2002
          Computer Crime and Intellectual Property
           Section Criminal Division - United States
           Department of Justice




Amelia Phillips          Highline Community College    10
When a computer can be seized
    When there is a warrant
    When the person’s expectation of a
     “reasonable right of privacy” has not been
     violated
          Policies on the job
          Just cause




Amelia Phillips           Highline Community College   11
                  Typical Types of Crimes

   White collar crime
        Embezzlement
        credit card fraud
        ½ cent rip-offs
   Email harassment
   Homicide / Suicide



Amelia Phillips          Highline Community College   12
Typical Types of Crimes (cont’d)
    Kidnapping
    Drug Dealers
    Forgery/Fraud/ID Theft
    Pornography – adult/child
    Rape – adult/child
    Auto theft rings



Amelia Phillips    Highline Community College   13
    History of Computer Forensics
    FLETC – Federal Law Enforcement
     Training Center
    RCMP – Royal Canadian Mounted Police
    Multiple DOS versions
    Heavy machines
    Small drives



Amelia Phillips   Highline Community College   14
                    Early Software
    XTree Gold
          Recover files
          Finding files
    Norton Disk Edit
    Expert Witness for the Macintosh




Amelia Phillips            Highline Community College   15
                  Current Software
    Accessdata’s FTK
    EnCase from one of the makers of Expert
     Witness
    Paraben Software
    Digital Intelligence
    X-Ways Forensics
          Wanted a way to win at digital games
          Created a hex editor called WinHex
    Many others
Amelia Phillips          Highline Community College   16
                           Hardware
                  FRED – Forensic Recovery of Evidence Device




Amelia Phillips             Highline Community College     17
                  What can be Retrieved
    Files listed in standard directory search
    Hidden files
    Deleted files
    Deleted email
    Passwords
    Login IDs
    Encrypted Files
    Hidden Partitions

Amelia Phillips          Highline Community College   18
                  Operating Systems



Amelia Phillips        Highline Community College   19
                  User Created Files
    Address books
    Audio / video files
    Calendars
    Database files
    Spreadsheets
    Email
    Internet bookmarks
    Documents and text files
Amelia Phillips        Highline Community College   20
                  User Protected Files
    Encrypted files
    Hidden files
    Compressed files
    Misnamed files
    Password protected files
    steganography



Amelia Phillips         Highline Community College   21
                  Computer Created Files
    Backups
    Cookies
    Configuration files
    History files
    Log files
    Swap files
    System files
    Temporary files
Amelia Phillips          Highline Community College   22
                  What an OS Does
    Each OS is different in what it does and
     how it does it
    Your approach will depend upon the
     situation
    You or whoever does the acquisition
     should be able to identify the OS and
     perform a proper shutdown (assuming the
     system is on)

Amelia Phillips       Highline Community College   23
      Where Forensics Tools Look for
               Information
    In      allocated space
    In      unallocated space
    In      RAM slack
    In      File slack
    In      Hidden Partitions




Amelia Phillips         Highline Community College   24
                  RAM Slack




Amelia Phillips    Highline Community College   25
                          Issues
    Deleted files
          Most Windows OS just change the first letter
           to a hexadecimal E5
    Swap files
    Deleted email
    Temp files (~)



Amelia Phillips          Highline Community College       26
Properly Securing the Evidence



Amelia Phillips   Highline Community College   27
                  Standards
    Scientific Working Group for Digital
     Evidence (SWGDE)
    International Organization on Digital
     Evidence (IOCE




Amelia Phillips     Highline Community College   28
                  Collecting Evidence
    Only one person should collect and
     catalogue evidence
    If too much for one person, all examiners
     must follow the same procedures
    Be consistent
    Items collected in a criminal case can be
     used in a civil case and vice-versa


Amelia Phillips        Highline Community College   29
                  Evidence rules
    Establishing who created the files
    May rely on circumstantial evidence
    Hash values are used to verify that the
     evidence has not changed
          CRC
          MD5
          SHA-1
          SHA-256/512

Amelia Phillips          Highline Community College   30
                  Securing the Evidence
    What type of crime?
    Do you need to take all the items?
    Is the computer on at the time of arrival?
    Is the suspect within reach of the device?




Amelia Phillips         Highline Community College   31
                  Standard tools




Amelia Phillips      Highline Community College   32
                           Tools
         Notepad
         Measuring
          tape/stick
         Variety of
          screwdrivers
         Evidence bags
         Needle-nosed
          pliers
         Bolt cutters
         Digital camera
Amelia Phillips        Highline Community College   33
                  Packing supplies
    Cable tags
    Indelible felt tip markers
    Stick on labels
    Antistatic bags
    Antistatic bubble wrap
    Evidence bags
    Packing tape

Amelia Phillips       Highline Community College   34
                  Other items
    Gloves
    Hand truck
    Large rubber bands
    List of telephone numbers for assistance
    Small flashlight
    Unused floppy disk



Amelia Phillips     Highline Community College   35
                  Examining the scene
    What items are hooked to the computer?
    What operating system is it?
    Is there a power strip hooked to the system?
    Are there sticky notes on the machine?
    What media storage is in the area?
          CDs
          Zips, thumbdrives
          Floppies
    What flyers or pictures are on the wall?


Amelia Phillips            Highline Community College   36
                  Typical scene




Amelia Phillips     Highline Community College   37
       What is ‘Chain of Custody’?

    Documentation of dominion and control of
     evidence
    Physical security of evidence




Amelia Phillips    Highline Community College   38
   How to Get all the Information



Amelia Phillips   Highline Community College   39
                  Bit Stream Backup
    Sector by sector
    Maps to original drive
    Retrieves existing files, RAM slack, file
     slack
    Unallocated space
    Most software packages now can analyze
     from the drive image


Amelia Phillips        Highline Community College   40
                  Tools Needed in the Lab
    A machine that boots to a true DOS
     prompt
          Windows 98 / 95
    A Windows 2000 machine or later
    A Linux machine
    Standard hardware such as floppy drive,
     CD drive, thumbdrive and Zip
    Microsoft Office or similar loaded
Amelia Phillips          Highline Community College   41
                     Tools (cont’d)
    Access to additional hardware such as
          SCSI drive
          Small disk drives (10 GB or less)
          Write blocker
          Cables and power cords
    Standard tools
          Screwdrivers
          Wrist guards, etc

Amelia Phillips           Highline Community College   42
                        Software
    Many available
    Digital Intelligence’s
          DriveSpy
    GUI based
          Accessdata’s FTK, Registry Viewer and PRTK
          Hex Workshop
          EnCase
          X-Ways Forensics

Amelia Phillips          Highline Community College     43
                      Audit Trails
    Computer Forensics supplies an auditor
     with
          Deleted files
          Deleted email
          Hidden files
          Prior correspondence




Amelia Phillips          Highline Community College   44
                    Case 1
    A bank received extortion threats from
     Russian hackers
    The hackers claimed to have control of the
     bank’s website
    The bank called the FBI
    The FBI created a dummy corporation in
     Seattle not far out of SeaTac
    They began recruiting people claiming to
     be a network security company
Amelia Phillips    Highline Community College   45
                  Case 1 (cont’d)
    The FBI continued to pursue other
     employees for appearances
    Then the Russians came across their radar
     screen
    The FBI was able to convince them to
     come over
    They wined and dined them and finally
     asked that the Russian suspects
     demonstrate their skills

Amelia Phillips      Highline Community College   46
                  Case 1 (page 3)
    The suspects began logging onto their
     machines in Russia using the ones
     supplied to them by this dummy company
    Keyloggers were on the machines
    The FBI was able to capture their user
     accounts and login info over the course of
     several days
    The FBI logged in and downloaded
     everything they could off of the servers

Amelia Phillips      Highline Community College   47
                   Case 1 (page 4)
    Phil Atfield was involved in the
     investigation
    The suspects were arrested for extortion
    New information
          Hoarded credit cards
          Wrote a Perl script that loads a product on
           Ebay
          Wrote a second Perl script that upped the bid
           on the product

Amelia Phillips          Highline Community College    48
                  Case 1 (page 5)
    New Information (cont’d)
          Made sure that they always won
          Had another script that ranked them as good
           dealers
    Both PayPal and Ebay got hit with this
    Over $1.7 million that could be proved
    Cost given to consumer


Amelia Phillips          Highline Community College      49
                    Case 2
    A broker performs services for a client
    Charges for services rendered at over $25
     million
    Brokerage firm charges client
    Client denies ever making the purchase
    Broker produces an email authorizing the
     purchase
    Client still denies and refuses payment
Amelia Phillips    Highline Community College   50
                  Case 2 (cont’d)
    Broker sues client
    Special Master is called in
    Combs through files
    Finds the UNIX timestamp on the email
     matched a prior valid email
    Broker had altered email message
    Problem of confidentiality

Amelia Phillips      Highline Community College   51
                  From the Shear Report
    By Kenneth Shear
    Munshani vs. Signal Lake Venture Fund II,
     et al




Amelia Phillips          Highline Community College   52
                  Evidence Examined
    Munshani had two Thinkpad Laptops
    Also a server
    An external SCSI drive
    A backup tape of the laptop
    19 total drives examined
          Imaged with SafeBack
          Imaged with EnCase


Amelia Phillips         Highline Community College   53
                  Configuration
    Mr. Munshani’s laptop was configured to
     store the .pst files on the hard drive
    Normally these would reside on the server
    Mr. Trivedi denies ever sending the email
    Mr. Munshani can produce the evidence
    They had emailed in the past



Amelia Phillips     Highline Community College   54
                  The Email
    Questioned message
    Comparator message
    Both sent on August 3, 2000
    Basic header shows nothing of interest
    Expanded header shows the problem




Amelia Phillips    Highline Community College   55
                   ESMTP
    Extended Simple Mail Transfer Protocol
    Otherwise known as SMTP servers
    Each server assigns a unique ID to the
     message
    On both messages the ESMTP ids for all
     three servers listed were the same



Amelia Phillips    Highline Community College   56
                      Transmission Times

hedgefund.ushedgefund.com   e73MfZ331592                 15:45:31 EDT   18:41:35 EDT


Mail.terago.com             e73MfW903843                 14:41:32 CDT   17:41:32 CDT

Webmail.terago.com          RAA01318                     14:41:31 CDT   17:41:31 CDT




    Amelia Phillips         Highline Community College                           57
                     Case 3
    Doctor charged with a crime
    Computers at home and work seized
    HIPAA
    Patient confidentiality
    Special Master called in
    All files not relevant to the people in the
     case are kept sealed

Amelia Phillips      Highline Community College    58
                    Case 4
    Midlevel managers at a major firm
    Know that a big deal is about to take place
    Notify friends and family to purchase stock
    Someone blows the whistle
    Investigator able to trace email
     communications



Amelia Phillips     Highline Community College   59
                    Case 5
    November 2004
    Two lawyers in Bellevue, WA on opposing
     sides of a civil case
    Jung was critically shot and wounded by
     Joice – a former Snohomish County
     deputy prosecutor
    Computers on both sides were seized
    Situation is such that not even the police
     can view the contents
Amelia Phillips     Highline Community College    60
                  Case 5 (cont’d)
    Special Master is called in again
    Tried to ascertain what happened
    Attorney- client privilege
    Only what is relevant can be presented in
     court or released
    Case is still pending



Amelia Phillips      Highline Community College   61
                     Case 6
    High level manager accused of getting inside
     information to close a deal
    Hires the person who gave him the information
    Accusations made
    Audit trail of communiqués made is needed
    Affected over 30 employee’s email
    Over 6 months of investigations
    More accusations made


Amelia Phillips      Highline Community College      62
                   Case 7
    Ex-husband very wealthy
    Asks ex-wife to house sit
    She steals his gold bullion
    New husband works at Fortune 50 firm
    Ex-husband’s attorney wants his computer
     from work



Amelia Phillips    Highline Community College   63
                  Case 7 (cont’d)
    Fortune 50 company refuses to release
     computer to attorney because of IP and
     company proprietary information on the
     machine
    Negotiations made
    Finally – attorney may watch as corporate
     investigators perform forensic analysis


Amelia Phillips      Highline Community College   64
                    Case 8
    Company A and Company B are
     negotiating a deal
    Deal falls through
    Intellectual property involved that
     belonged to Company B
    Over 300 people had been involved in
     Company A
    All traces of IP needed to be off their
     machines
Amelia Phillips     Highline Community College   65
                  Case 8 (cont’d)
    bcwipe had been useful in prior versions
     of Windows
    Due to the different versions of Windows
     and their quirks, it crashed many users’
     machines
    Not successful in removing only the
     relevant IP in documents and email
    Need to avoid litigation

Amelia Phillips      Highline Community College   66
                  Case 8 (page 3)
    Employees now have to copy any files
     they need for their other projects off their
     machine
    Send their hard drives to the lab to be
     forensically wiped and reloaded
    Cheaper than a lawsuit



Amelia Phillips      Highline Community College     67
                     Product Demos
                  AccessData’s Forensic Toolkit
                                 (FTK)
                                   and
                       X-Ways Forensics




Amelia Phillips            Highline Community College   68
Amelia Phillips   Highline Community College   69
Amelia Phillips   Highline Community College   70
Amelia Phillips   Highline Community College   71
                  Organizations




Amelia Phillips     Highline Community College   72
                  Q&A


Amelia Phillips   Highline Community College   73

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:11
posted:4/15/2011
language:English
pages:73