Docstoc

CS 447_557 Computer Forensics

Document Sample
CS 447_557 Computer Forensics Powered By Docstoc
					     CS496
Computer Forensics
        Lecture 3
The Investigative Process
      Winter 2010

                            1
                Introduction
• Last time
  – History, need and challenges of computer
    forensics


• Today
  – Investigative process
  – Look at process of gathering digital evidence
     • Examples of how evidence can be used to connect
       a perpetrator to the crime
                                                     2
          Take Away Points
1. Importance of having an investigative
   process that’s documented and
   repeatable
  – Want an unbiased investigative process that
    accurately captures and reports evidence
2. Certain steps in an investigative process
    Same no matter what model is used


                                                  3
        Goal of Investigation
• Uncover and present the truth of a crime
  or event by the evidence gathered
  – True for both criminals in physical world and
    intruders in computer world
  – The types of evidence will be different
• Investigative process will be the same!



                                                    4
        Investigative Process
• Why is it important for there to be an
  investigative process?
  – Sanctioned by our court system




                                           5
Impact of Investigation
• Allegations of wrong doing
  – People can lose their freedom
  – Reputation can be destroyed
  – Extreme case, lose their lives

• Investigative process is similar to scientific
  method
  – Develop several theories with hypotheses
  – Seek evidence to disprove each hypothesis
  – Trying to determine what happened based on
    evidence and avoid preconceived ideas
                                                   6
             Digital Evidence
• Want to uncover links between suspect
  and crime scene
  – If a crime occurred, it should be traced
  – Physical world
     • Evidence includes hair, fingerprints or fibers
     • Witness reports
  – Digital world
     • Evidence is digital information in the form of files,
       and time stamps

                                                               7
            Digital Evidence
• Example
  – Individual sends threatening message via a
    Web based e-mail service like Hotmail
    • What evidence could be gathered?




                                                 8
            Digital Evidence
• Example
  – Browser stores files, links and other
    information on hard disk along with date-time
    related information
       – All on suspect's computer
  – Web server used to send message
       – Access logs, e-mail logs, IP addresses
       – Stores message sent in suspect's e-mail
         account

                                                    9
           Digital Evidence
• Example continued
  – Piece together evidence from suspect's
    computer and Web server
    • Match programs and tools
    • Examine time information
       – Did the time the message was received
         match about the time it was sent




                                                 10
           Digital Evidence
• Example 2
  – Intruder gains unauthorized access to Unix
    system from Windows PC using a stolen
    Internet dial-up account and uploads various
    tools to Unix machine via FTP
  – You have access to both machines

  – What evidence might could be gathered?


                                                   11
              Digital Evidence
• Example 2 continued
  – Tools now on both Windows and Unix systems
  – Characteristics of tools on both systems match
    • Date-time stamps,
    • Exact copies – size and version match
  – Windows applications used to connect to Unix
    Telnet, SS
    • Keep record of target IP address/hostname
  – Directory listings from Unix system
    • Intruder’s hard drive if swapped to disk while being
      displayed by Telnet or SSH                             12
            Digital Evidence
• Example 2 continued
  – Stolen account/password likely stored
    somewhere on Intruder’s system
    • Sniffer log or in list of stolen accounts from other
      systems
  – Unix system
    • Log-in records
    • FTP transfer logs showing connection and file
      transfers
    • Transferred tools can have associated user and
      group information
                                                             13
           Digital Evidence
• Additional systems may be involved
  – ID logs – Intrusion detection systems
  – NetFlow logs – Routers
  – Other logs – Firewall or other systems
• More corroborating evidence can attain
  – Greater the weight of evidence provided in a
    court of law



                                                   14
                 Digital Evidence
• Example 3
    – Child porn from the Internet
    – Evidence traced from Suspect to FTP Server
  Suspect’s PC        Dial-up Server    Router        FTP Server




File date-time     TACACS logs         Netflow logs   Logon and
stamps, modem,     and ANI Records                    transfer logs
FTP logs
                   ANI –   Automatic Number ID
                   TACAC – User authentication                        15
                 Digital Evidence
• Example 3 Continued
  – Dial-up connection can be traced through the
    various systems to the FTP Server
  – Client Side
     • Date-time stamps of porn files shows when files were
       downloaded
     • Logs from FTP client show when each file
       downloaded and from where
   Log entry: 98.11.12.1 19:53 A
    C:\download\image12.jpg<--192.168.1.45/home/johnh/image12.jpg

  WS_FTP image downloaded from FTP server 192.168.1.45 on Nov. 12 1998
                                                                    16
   at 1953 hours from remote directory /home/johnh
                   Digital Evidence
• Example 3
   – Suspect's ISP
      • Dial-up Server logs at suspect's ISP could show that a
        specific IP address was assigned to suspect's user
        account at the time
  – FTP Server
      • Logs on FTP server may confirm files were
        downloaded to suspect’s IP address at time in
        question
      • Following FTP server transfer log entry shows a file
        with same name and size found on suspect’s
        computer being downloaded to IP address assigned to
        suspect at time in question
  Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/johnh/image12.jpg a_or user
                                                                             17
  Locard’s Exchange Principle
• Main goal of investigation to link crime to
  the suspect by discovering threads
  between suspect, victim and crime scene
• A principle in criminal investigation called
  Locard’s Exchange Principle
  – Anyone or anything entering a crime scene
    takes something of the scene with them and
    leaves something of themselves behind

                                                 18
  Locard’s Exchange Principle
• Physical world
  – Offender leaves fingerprints, or hair at scene
  – Takes fiber, blood or other material away
• One piece of evidence
  – Strong possibility suspect was at the crime
    scene
• Two pieces of evidence
  – Much stronger link between suspect and
    crime scene

                                                     19
 Locard’s Exchange Principle

         Crime
         Scene


         Evidence
Victim              Suspect




                               20
    Investigative Methodology
• Want investigative process structured so
  that
  – Complete investigation is done
  – Evidence is handled properly
  – Mistakes are minimized
• Investigation is broken up into levels at
  which various activities occur
• There is a process model
  – Looks like a software engineering model
  – Waterfall model                           21
Investigative Process Model
                                                  Persuasion and testimony
              Ends with testimony
                                           Reporting
                                   Analysis

                                 Organization and Search

            Case         Reduction
    Management
                      Harvesting

                 Recovery

             Preservation

           Identification of seizure
         Incident/Crime scene protocols
       Assessment of worth

 Incident Alerts or accusation           Begins with Incident alert          22
    Investigative Process Model
• At the top of the process model
  – Role of investigator is finished
  – Pass on work, evidence to prosecutors or
    other decision makers
     • Decide whether to continue with case or not
  – Note: Steps shown are in a stair-step
    sequence
     • But stages interrelated and steps may need to be
       re-visited
     • Thus, stages have feedback mechanisms

                                                          23
               Process Model
• Logical Flow of Events that seeks to provide
  1. Acceptance – Professional agreement on
    methods
  2. Reliability – Methods trusted to support findings
  3. Repeatability – Process applied by all,
    independent of time and place
  4. Integrity – Evidence gathered can be trusted
  5. Cause and Effect – Logical connection between
    suspects and evidence
  6. Documentation – Critical for testimony
                                                    24
             Important Steps
• Look at few of more important steps
  – Accusation
  – Assessment of worth
  – Identification of seizure
  – Analysis
  – Reporting




                                        25
    Investigative Process Model


• Accusation or Intruder Alert
  – Intrusion log or more traditional or citizen
    reporting criminal activity
  – Likely some part of scene of crime contains
    digital evidence




                                                   26
    Investigative Process Model
• Accusation continued
  – Response
    • Must weigh the evidence
       – Look at sources plus human factors
       – May have to do some preliminary fact gathering and data
         analysis before deciding what happened and whether it
         was criminal or malicious
    • Example: Significant loss of files
       – Due to a power surge or computer failure instead of
         deliberate erasure
       – Employee incompetence as opposed to deliberate
           » Format C:\ (by mistake)

                                                               27
    Investigative Process Model
• Assessment of Worth
  – Try to find out the severity of a problem
     • Potential for significant loss
        – Reputation of company trashed for leaking private
          individuals information
     • Wider system compromise
        – Not just one computer, but infiltration throughout the
          company
     • Physical injury
  – If damage can be contained without further
    loss, may not be worth a full investigation
                                                                   28
     Investigative Process Model
• Identification or Seizure
  – Once scene is secured, potential evidence of
    an alleged crime or incident must be seized

  – Documentation is very important in digital
    evidence seizure step
     • Must record details about each thing seized as
       evidence in order to establish its authenticity and
       establish a chain of custody
     • Chain of custody – who handled the evidence
       since it was seized – More on this later
                                                             29
    Investigative Process Model
• Identification or Seizure continued
  – Digital World
     • Seizure occurs, but some or all of the state or
       character may be lost immediately upon seizure
       due to volatility of electronic devices
     • Once system is powered down, all RAM is lost
     • Methods and software allows for capture of this
       information



                                                         30
   Investigative Process Model
• Analysis
  – Scrutiny of Data
  – Review images, determine motivation,
    opportunity for crime or event
  – Fusion and correlation
    • Bring together data from many sources
    • Example: Many crimes have a time-line associated
      with event, put data in chronological order



                                                     31
   Investigative Process Model
• Reporting
  – View of investigative process
  – Contain important details from each step
  – Reference to protocols followed, methods used
    to gather evidence
  – Each step should be carefully documented




                                               32
          Reporting Example
• View recommendations and example from
  a Department of Justice document
  http://www.ncjrs.gov/pdffiles1/nij/199408.pdf




                                                  33
                   Summary
• Investigative Methodology
    • Model of Investigation helps with establishing a
      more scientific approach to investigation
    • Important for both physical and digital evidence
       – Huge potential impact since people's reputations or
         freedoms are on the line
    • Challenges of digital evidence is its transient
      nature
       – Can be lost for good if not careful
    • Not all cases are worth pursuing
       – Must weigh evidence to see if case should be pursued
                                                                34
                   Finish



– More on Digital Evidence
– Reading: Chapter 2
– See Assignments Page, Assignment 1
  • Check out link to Justice Document



                                         35

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:8/8/2011
language:English
pages:35