Download presentation
Presentation is loading. Please wait.
Published byMadelynn Hadd Modified over 9 years ago
1
Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE
Information Security Officer University of Wisconsin Madison
2
Road Map: Background Digital Preservation Digital Analysis
3
Background: Definitions: Digital Investigation
Answer questions about digital events Digital Forensic Investigation so the results are admissible in court
4
Background: Sample forensic considerations: Chain-of-Custody
Prevent cross contamination during exam Wide acceptance of investigative techniques? Can the findings be duplicated?
5
Background: Examples of digital investigation cases:
Electronic harassment (google, , etc) Fraud (spreadsheets, etc) Illegal pornography Stolen computer recovery Assist in identifying owner Hacking (software)
6
-> Media Acquisition
7
-> Media Acquisition
-> Answer questions
8
-> Media Acquisition
-> Answer questions -> Ensure answers are correct to the extent possible
9
Digital Investigation Tools:
A wide variety of tools exist and may operate at one of more levels of the investigative process, eg Preservation + Analysis Forensic Tool Kit (FTK) P/A $1,000 Guidance Software Encase $1,500 dd & The Sleuth Kit Open Source *Approximate; plugs-ins, etc
10
Evidence Preservation
Sample guidelines : Preserve original evidence and work on copy of data Digital data is fragile, obtain with minimal disturbance Results should be repeatable Take good notes!
11
Evidence Preservation
Traditionally obtain an exact copy of data on media that survives at power down Higher level of certainty Possibly capture the state of a live system Lower level of certainly due to side effects but may lead to more understanding
12
Evidence Preservation:
Where is the evidence? Hard drives USB Thumb drives CDROMs Floppy diskettes Palm Pilot Memory
13
Evidence Preservation:
Implement media write blockers during acquisition: Prevent changes to evidence Sit between forensic machine and media SCSI, sATA, IDE, etc
14
Evidence Preservation:
Write Blocker Kit “Ultimate Write Blocker Kit” Full kit approximately $1,800
15
Evidence Preservation:
Implement write blocker bridges: firewire/usb -> IDE
16
Evidence Preservation:
Implement write blocker bridges: firewire/usb -> USB
17
Evidence Preservation:
Switches can be set to allow for writes Can be useful in some cases (after preservation stage) Remember to always confirm Write protection ON.
18
Evidence Preservation:
Network Acquisition: Prevent writes to evidence Sometimes best option, eg RAID array
19
Evidence Preservation:
Raw image Only data from the source media Example: dd Embedded image Includes additional descriptive data, eg hash values, case notes, etc Example: Encase evidence file Review examples…
20
Evidence Preservation:
dd Native to Unix/Linux Available for Windows Copies chunks of data from one file and writes it to another. Only knows about files and not file systems, disks, etc.
21
Evidence Preservation:
dd examples: Create an image of hard drive: dd if=/dev/hda bs=2k of=raw.img Calculate md5 checksum of drive: dd if=/dev/hda bs=2k | md5sum Preserve memory in Windows: dd if=\\.\physicalmemory of=c:memory.dd bs=47 \\.\ windows way to accessing device file
22
Evidence Preservation:
Encase example: Highlights: File segment size Compression
23
Evidence Preservation:
Compare the acquisition hash: To manually calculated hash at any time: Values agree ->
24
Evidence Preservation:
Quick review: Acquire media with hardware write blockers. Examples of dd and Encase Move to Evidence Analysis…
25
Evidence Analysis:
26
Evidence Analysis:
27
Evidence Analysis:
28
Evidence Analysis: Quick Definitions: Sectors Clusters MBR Allocated vs Unallocated Clusters File Slack
29
Evidence Analysis: Sectors and Clusters Sectors: The smallest addressable unit on a hard drive, typically 512 bytes Clusters: The smallest allocation unit by the operating system made up of groups of sectors
30
Evidence Analysis: Master Boot Record (MBR) In PCs boot code exists in first 446 bytes of the first sector. The last bytes contain information on the first four partitions. Boot process gets code from the MBR and then looks for the first bootable partition location and find additional boot code from there.
31
Evidence Analysis: Allocated vs Unallocated Space File systems like FAT/NTFS reserve clusters for use. As fill with files, the clusters become allocated. As files are removed, the clusters become unallocated and again available for use by the file system. Thus, unallocated space may contain useful information in an investigation.
32
Evidence Analysis: File Slack: The file system pre-allocates space for individual files (clusters). If a file does not occupy the full space, the end is “slack”. This slack may contain information from the previous file. Similar to recording an hour length show on VHS tape and overwriting with an 30 min show. Note that File Slack is allocated space.
33
Evidence Analysis: Encase displays file slack as red text: May find tidbits…
34
Evidence Analysis: Encase view of sample PC media Note: MBR, Allocated/Unallocated clusters
35
Evidence Analysis: Encase view of Sector 0 containing the MBR
36
Evidence Analysis: We can “sweep” 64 bytes on sector offset 446 to manually confirm the partition information
37
Evidence Analysis: Use Encase “Bookmark” to translate to the partition information. Type: Status: 80 is the bootable partition -in this case the NTFS partition
38
Evidence Analysis: Encase “report” view of same disk confirms the information.
39
Evidence Analysis: What happens if the partition table is gone (on purpose or otherwise)? The Encase view: Note that no logical volumes shown (C: D:) and all gray clusters
40
Search for common beginnings of partitions starting at sector 63
Evidence Analysis: Search for common beginnings of partitions starting at sector 63 MSWIN4.0 -> Windows 98 FAT MSWIN5.0 -> Windows 2000, XP FAT NTFS -> Windows NTFS
41
Evidence Analysis: Now inform Encase that we believe that this location contains a NTFS partition
42
Evidence Analysis: The volume now appears -> Can save to Encase “case” to retained after shut down.
43
Evidence Analysis: In reviewing files, Encase provides the below gui: Note ability to sort columns and files listed out
44
Evidence Analysis: Encase GUI provides the ability to filter: Used to view files based on supplied criteria Can be used to reduce many thousands of files to more manageable level Example of listing only Word docs
45
Evidence Analysis: Searches: Major activity in many investigations Decide on text terms or patterns
46
Evidence Analysis: When doing text/pattern searches usually also run:
File signature verification Review file headers Hash computation Compute hashes on all files Review both in moment…
47
Evidence Analysis: Search hits displayed along with their locations on the media: Note keyword hits in unallocated clusters
48
Encase can compare each file header to library
Evidence Analysis: File Signature verification: Encase can compare each file header to library of over 220 unique known signatures in order to determine file type, eg .doc, .jpg, etc How is this useful?
49
Evidence Analysis: Case one: A file header matches a known value but the extension does not match Can assist in finding files with changed extensions For example renaming a .jpg file with a .txt extension: Can do for every file and quick sort to search for inconsistencies
50
Evidence Analysis: Case two: A file header matches a known value but the file does not have an extension Encase will act consistent with header when file is double clicked, eg launch Excel for a file matching Excel header Encase will act consistent with header when file is viewed, eg Gallery view will display pictures even though no extensions Useful for file systems with Macintosh HFS file system
51
Evidence Analysis: Hash computation: Calculate the MD5 hash of every file
52
Evidence Analysis: Hash computation: Uses: Find specific file Third party may provide hashes to search Malware, illegal images, etc Filter known files Faster searches! Example…
53
Evidence Analysis: Import NIST known OS md5 hashes available on their web site
54
Evidence Analysis: Encase now indicates “*known” files (* used for sorting purposes):
55
Evidence Analysis: Now use an Encase Filter to remove these files from view and searches: In this case, reduced 21,088 files to 14,787 30% less files to search!
56
Evidence Analysis: Data Carving within Encase Can matching headers/footers/file size/etc and search through unallocated space and “carve” out file and save to forensic machine for review Commonly search for jpegs, html, etc Since searching through unallocated space, the files found may not be compete Encase provides EnScript to do (similar to C++)
57
Evidence Analysis: Run EnScript:
58
Evidence Analysis: Carve out any found jpegs in the unallocated clusters Likely include incomplete jpegs since may have been overwritten
59
Evidence Analysis: Recovery of deleted files:
60
Evidence Analysis: Example of wiping files in software:
Encrypt existing folder using Microsoft Encrypting File System (EFS). Note TMP artifact left after conversion Use the cipher command to wipe directory: Result:
61
Evidence Analysis: Recycle Bin: Windows 98, NT, 2000, XP The default process when a file is moved to the Recycling bin. 1. New file entry in Recycle Bin 2. Additional about the file in a hidden system file named INFO2 Most important can be the delete date and time
62
Evidence Analysis: Each INFO2 record 800 bytes When the file is deleted, the file is remove as well as the corresponding INFO2 record both of which may be recoverable Example..
63
Evidence Analysis: INFO2 file found in the recycler bin: Can sweep 800 bytes: Bookmark to display information:
64
Evidence Analysis: Encase allows the ability to export the acquired files as a windows share on forensic machine. How may this be useful?
65
Evidence Analysis: This is useful to allow third party tools to analyze the export share of suspect files Examples…
66
Evidence Analysis: Virus Checking of suspect drive:
67
Evidence Analysis: Paraben Forensic Tools Examiner:
68
Evidence Analysis:
69
Evidence Analysis:
70
Documents and Settings/USER/
Evidence Analysis: Windows Artifacts: Documents and Settings/USER/ Recent/: Recently accessed files, programs, etc Stored at this location as link files. Print spooler Past printouts written to disk Search for EMF files in unallocated space
71
Evidence Analysis: View web cache: View browser history:
72
Event reconstruction:
Restoring evidence Export programs to run on forensic machine Boot into suspects drive Commonly use VMware
73
Event reconstruction:
Encase allows acquired files to be exported as a physical disk
74
Event reconstruction:
VMware can use Encase embedded image directly and allow virtually booting into suspect drive:
75
Event reconstruction:
Use software to reset password to allow access:
76
Questions?
77
Resources: Windows Forensics and Incident Recovery, Carvey
File System Forensic Anaylsis, Carrier Forensic Discovery, Farmer, Venema Windows dd Encase FTK Ultimate Write Blocker Kit NIST Hashes The Sleuth Kit (TSK) Paraben Software
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.