Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE

Similar presentations

Presentation on theme: "Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE"— Presentation transcript:

1 Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE
Information Security Officer University of Wisconsin Madison

2 Road Map: Background Digital Preservation Digital Analysis

3 Background: Definitions: Digital Investigation
Answer questions about digital events Digital Forensic Investigation so the results are admissible in court

4 Background: Sample forensic considerations: Chain-of-Custody
Prevent cross contamination during exam Wide acceptance of investigative techniques? Can the findings be duplicated?

5 Background: Examples of digital investigation cases:
Electronic harassment (google, , etc) Fraud (spreadsheets, etc) Illegal pornography Stolen computer recovery Assist in identifying owner Hacking (software)

6 -> Media Acquisition

7 -> Media Acquisition
-> Answer questions

8 -> Media Acquisition
-> Answer questions -> Ensure answers are correct to the extent possible

9 Digital Investigation Tools:
A wide variety of tools exist and may operate at one of more levels of the investigative process, eg Preservation + Analysis Forensic Tool Kit (FTK) P/A $1,000 Guidance Software Encase $1,500 dd & The Sleuth Kit Open Source *Approximate; plugs-ins, etc

10 Evidence Preservation
Sample guidelines : Preserve original evidence and work on copy of data Digital data is fragile, obtain with minimal disturbance Results should be repeatable Take good notes!

11 Evidence Preservation
Traditionally obtain an exact copy of data on media that survives at power down Higher level of certainty Possibly capture the state of a live system Lower level of certainly due to side effects but may lead to more understanding

12 Evidence Preservation:
Where is the evidence? Hard drives USB Thumb drives CDROMs Floppy diskettes Palm Pilot Memory

13 Evidence Preservation:
Implement media write blockers during acquisition: Prevent changes to evidence Sit between forensic machine and media SCSI, sATA, IDE, etc

14 Evidence Preservation:
Write Blocker Kit “Ultimate Write Blocker Kit” Full kit approximately $1,800

15 Evidence Preservation:
Implement write blocker bridges: firewire/usb -> IDE

16 Evidence Preservation:
Implement write blocker bridges: firewire/usb -> USB

17 Evidence Preservation:
Switches can be set to allow for writes Can be useful in some cases (after preservation stage) Remember to always confirm Write protection ON.

18 Evidence Preservation:
Network Acquisition: Prevent writes to evidence Sometimes best option, eg RAID array

19 Evidence Preservation:
Raw image Only data from the source media Example: dd Embedded image Includes additional descriptive data, eg hash values, case notes, etc Example: Encase evidence file Review examples…

20 Evidence Preservation:
dd Native to Unix/Linux Available for Windows Copies chunks of data from one file and writes it to another. Only knows about files and not file systems, disks, etc.

21 Evidence Preservation:
dd examples: Create an image of hard drive: dd if=/dev/hda bs=2k of=raw.img Calculate md5 checksum of drive: dd if=/dev/hda bs=2k | md5sum Preserve memory in Windows: dd if=\\.\physicalmemory of=c:memory.dd bs=47 \\.\ windows way to accessing device file

22 Evidence Preservation:
Encase example: Highlights: File segment size Compression

23 Evidence Preservation:
Compare the acquisition hash: To manually calculated hash at any time: Values agree ->

24 Evidence Preservation:
Quick review: Acquire media with hardware write blockers. Examples of dd and Encase Move to Evidence Analysis…

25 Evidence Analysis:

26 Evidence Analysis:

27 Evidence Analysis:

28 Evidence Analysis: Quick Definitions: Sectors Clusters MBR Allocated vs Unallocated Clusters File Slack

29 Evidence Analysis: Sectors and Clusters Sectors: The smallest addressable unit on a hard drive, typically 512 bytes Clusters: The smallest allocation unit by the operating system made up of groups of sectors

30 Evidence Analysis: Master Boot Record (MBR) In PCs boot code exists in first 446 bytes of the first sector. The last bytes contain information on the first four partitions. Boot process gets code from the MBR and then looks for the first bootable partition location and find additional boot code from there.

31 Evidence Analysis: Allocated vs Unallocated Space File systems like FAT/NTFS reserve clusters for use. As fill with files, the clusters become allocated. As files are removed, the clusters become unallocated and again available for use by the file system. Thus, unallocated space may contain useful information in an investigation.

32 Evidence Analysis: File Slack: The file system pre-allocates space for individual files (clusters). If a file does not occupy the full space, the end is “slack”. This slack may contain information from the previous file. Similar to recording an hour length show on VHS tape and overwriting with an 30 min show. Note that File Slack is allocated space.

33 Evidence Analysis: Encase displays file slack as red text: May find tidbits…

34 Evidence Analysis: Encase view of sample PC media Note: MBR, Allocated/Unallocated clusters

35 Evidence Analysis: Encase view of Sector 0 containing the MBR

36 Evidence Analysis: We can “sweep” 64 bytes on sector offset 446 to manually confirm the partition information

37 Evidence Analysis: Use Encase “Bookmark” to translate to the partition information. Type: Status: 80 is the bootable partition -in this case the NTFS partition

38 Evidence Analysis: Encase “report” view of same disk confirms the information.

39 Evidence Analysis: What happens if the partition table is gone (on purpose or otherwise)? The Encase view: Note that no logical volumes shown (C: D:) and all gray clusters

40 Search for common beginnings of partitions starting at sector 63
Evidence Analysis: Search for common beginnings of partitions starting at sector 63 MSWIN4.0 -> Windows 98 FAT MSWIN5.0 -> Windows 2000, XP FAT NTFS -> Windows NTFS

41 Evidence Analysis: Now inform Encase that we believe that this location contains a NTFS partition

42 Evidence Analysis: The volume now appears -> Can save to Encase “case” to retained after shut down.

43 Evidence Analysis: In reviewing files, Encase provides the below gui: Note ability to sort columns and files listed out

44 Evidence Analysis: Encase GUI provides the ability to filter: Used to view files based on supplied criteria Can be used to reduce many thousands of files to more manageable level Example of listing only Word docs

45 Evidence Analysis: Searches: Major activity in many investigations Decide on text terms or patterns

46 Evidence Analysis: When doing text/pattern searches usually also run:
File signature verification Review file headers Hash computation Compute hashes on all files Review both in moment…

47 Evidence Analysis: Search hits displayed along with their locations on the media: Note keyword hits in unallocated clusters

48 Encase can compare each file header to library
Evidence Analysis: File Signature verification: Encase can compare each file header to library of over 220 unique known signatures in order to determine file type, eg .doc, .jpg, etc How is this useful?

49 Evidence Analysis: Case one: A file header matches a known value but the extension does not match Can assist in finding files with changed extensions For example renaming a .jpg file with a .txt extension: Can do for every file and quick sort to search for inconsistencies

50 Evidence Analysis: Case two: A file header matches a known value but the file does not have an extension Encase will act consistent with header when file is double clicked, eg launch Excel for a file matching Excel header Encase will act consistent with header when file is viewed, eg Gallery view will display pictures even though no extensions Useful for file systems with Macintosh HFS file system

51 Evidence Analysis: Hash computation: Calculate the MD5 hash of every file

52 Evidence Analysis: Hash computation: Uses: Find specific file Third party may provide hashes to search Malware, illegal images, etc Filter known files Faster searches! Example…

53 Evidence Analysis: Import NIST known OS md5 hashes available on their web site

54 Evidence Analysis: Encase now indicates “*known” files (* used for sorting purposes):

55 Evidence Analysis: Now use an Encase Filter to remove these files from view and searches: In this case, reduced 21,088 files to 14,787 30% less files to search!

56 Evidence Analysis: Data Carving within Encase Can matching headers/footers/file size/etc and search through unallocated space and “carve” out file and save to forensic machine for review Commonly search for jpegs, html, etc Since searching through unallocated space, the files found may not be compete Encase provides EnScript to do (similar to C++)

57 Evidence Analysis: Run EnScript:

58 Evidence Analysis: Carve out any found jpegs in the unallocated clusters Likely include incomplete jpegs since may have been overwritten

59 Evidence Analysis: Recovery of deleted files:

60 Evidence Analysis: Example of wiping files in software:
Encrypt existing folder using Microsoft Encrypting File System (EFS). Note TMP artifact left after conversion Use the cipher command to wipe directory: Result:

61 Evidence Analysis: Recycle Bin: Windows 98, NT, 2000, XP The default process when a file is moved to the Recycling bin. 1. New file entry in Recycle Bin 2. Additional about the file in a hidden system file named INFO2 Most important can be the delete date and time

62 Evidence Analysis: Each INFO2 record 800 bytes When the file is deleted, the file is remove as well as the corresponding INFO2 record both of which may be recoverable Example..

63 Evidence Analysis: INFO2 file found in the recycler bin: Can sweep 800 bytes: Bookmark to display information:

64 Evidence Analysis: Encase allows the ability to export the acquired files as a windows share on forensic machine. How may this be useful?

65 Evidence Analysis: This is useful to allow third party tools to analyze the export share of suspect files Examples…

66 Evidence Analysis: Virus Checking of suspect drive:

67 Evidence Analysis: Paraben Forensic Tools Examiner:

68 Evidence Analysis:

69 Evidence Analysis:

70 Documents and Settings/USER/
Evidence Analysis: Windows Artifacts: Documents and Settings/USER/ Recent/: Recently accessed files, programs, etc Stored at this location as link files. Print spooler Past printouts written to disk Search for EMF files in unallocated space

71 Evidence Analysis: View web cache: View browser history:

72 Event reconstruction:
Restoring evidence Export programs to run on forensic machine Boot into suspects drive Commonly use VMware

73 Event reconstruction:
Encase allows acquired files to be exported as a physical disk

74 Event reconstruction:
VMware can use Encase embedded image directly and allow virtually booting into suspect drive:

75 Event reconstruction:
Use software to reset password to allow access:

76 Questions?

77 Resources: Windows Forensics and Incident Recovery, Carvey
File System Forensic Anaylsis, Carrier Forensic Discovery, Farmer, Venema Windows dd Encase FTK Ultimate Write Blocker Kit NIST Hashes The Sleuth Kit (TSK) Paraben Software

Download ppt "Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE"

Similar presentations

Ads by Google