Presentation on theme: "Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE Information Security Officer University of Wisconsin Madison."— Presentation transcript:
Forensic Overview 10:45-11:45 AM Jeffrey Savoy, CISSP GIAC EnCE Information Security Officer University of Wisconsin Madison
Background Digital Preservation Digital Analysis Road Map:
Background: Definitions: Digital Investigation Answer questions about digital events Digital Forensic Investigation Answer questions about digital events so the results are admissible in court
Background: Sample forensic considerations: Chain-of-Custody Prevent cross contamination during exam Wide acceptance of investigative techniques? Can the findings be duplicated?
Background: Examples of digital investigation cases: Electronic harassment (google, , etc) Fraud (spreadsheets, etc) Illegal pornography Stolen computer recovery Assist in identifying owner Hacking (software)
-> Media Acquisition
-> Answer questions
-> Media Acquisition -> Ensure answers are correct to the extent possible
Digital Investigation Tools: A wide variety of tools exist and may operate at one of more levels of the investigative process, eg Preservation + Analysis Forensic Tool Kit (FTK) P/A$1,000 Guidance Software EncaseP/A$1,500 dd & The Sleuth KitP/AOpen Source *Approximate; plugs-ins, etc
Evidence Preservation Sample guidelines : Preserve original evidence and work on copy of data Digital data is fragile, obtain with minimal disturbance Results should be repeatable Take good notes!
Evidence Preservation Traditionally obtain an exact copy of data on media that survives at power down Higher level of certainty Possibly capture the state of a live system Lower level of certainly due to side effects but may lead to more understanding
Evidence Preservation: Where is the evidence? Hard drives USB Thumb drives CDROMs Floppy diskettes Palm Pilot Memory
Evidence Preservation: Implement media write blockers during acquisition: Prevent changes to evidence Sit between forensic machine and media SCSI, sATA, IDE, etc
Evidence Preservation: Write Blocker Kit “Ultimate Write Blocker Kit” Full kit approximately $1,800
Evidence Preservation: Implement write blocker bridges: firewire/usb -> IDE
Evidence Preservation: Implement write blocker bridges: firewire/usb -> USB
Evidence Preservation: Switches can be set to allow for writes Can be useful in some cases (after preservation stage) Remember to always confirm Write protection ON.
Evidence Preservation: Network Acquisition: Prevent writes to evidence Sometimes best option, eg RAID array
Evidence Preservation: Raw image Only data from the source media Example: dd Embedded image Includes additional descriptive data, eg hash values, case notes, etc Example: Encase evidence file Review examples…
Evidence Preservation: dd Native to Unix/Linux Available for Windows Copies chunks of data from one file and writes it to another. Only knows about files and not file systems, disks, etc.
Evidence Preservation: dd examples: Create an image of hard drive: dd if=/dev/hda bs=2k of=raw.img Calculate md5 checksum of drive: dd if=/dev/hda bs=2k | md5sum Preserve memory in Windows: dd if=\\.\physicalmemory of=c:memory.dd bs=47 \\.\ windows way to accessing device file
Evidence Analysis: Sectors and Clusters Sectors: The smallest addressable unit on a hard drive, typically 512 bytes Clusters: The smallest allocation unit by the operating system made up of groups of sectors
Evidence Analysis: Master Boot Record (MBR) In PCs boot code exists in first 446 bytes of the first sector. The last bytes contain information on the first four partitions. Boot process gets code from the MBR and then looks for the first bootable partition location and find additional boot code from there.
Evidence Analysis: Allocated vs Unallocated Space File systems like FAT/NTFS reserve clusters for use. As fill with files, the clusters become allocated. As files are removed, the clusters become unallocated and again available for use by the file system. Thus, unallocated space may contain useful information in an investigation.
Evidence Analysis: File Slack: The file system pre-allocates space for individual files (clusters). If a file does not occupy the full space, the end is “slack”. This slack may contain information from the previous file. Similar to recording an hour length show on VHS tape and overwriting with an 30 min show. Note that File Slack is allocated space.
Evidence Analysis: Encase displays file slack as red text: May find tidbits…
Evidence Analysis: Encase view of sample PC media Note: MBR, Allocated/Unallocated clusters
Evidence Analysis: Encase view of Sector 0 containing the MBR
Evidence Analysis: We can “sweep” 64 bytes on sector offset 446 to manually confirm the partition information
Evidence Analysis: Status: 80 is the bootable partition -in this case the NTFS partition Use Encase “Bookmark” to translate to the partition information. Type:
Evidence Analysis: Encase “report” view of same disk confirms the information.
Evidence Analysis: What happens if the partition table is gone (on purpose or otherwise)? The Encase view: Note that no logical volumes shown (C: D:) and all gray clusters
Evidence Analysis: Search for common beginnings of partitions starting at sector 63 MSWIN4.0 -> Windows 98 FAT MSWIN5.0 -> Windows 2000, XP FAT NTFS -> Windows NTFS
Evidence Analysis: Now inform Encase that we believe that this location contains a NTFS partition
Evidence Analysis: The volume now appears -> Can save to Encase “case” to retained after shut down.
In reviewing files, Encase provides the below gui: Evidence Analysis: Note ability to sort columns and files listed out
Encase GUI provides the ability to filter: Used to view files based on supplied criteria Can be used to reduce many thousands of files to more manageable level Evidence Analysis: Example of listing only Word docs
Evidence Analysis: Searches: Major activity in many investigations Decide on text terms or patterns
Evidence Analysis: When doing text/pattern searches usually also run: File signature verification Review file headers Hash computation Compute hashes on all files Review both in moment…
Evidence Analysis: Search hits displayed along with their locations on the media: Note keyword hits in unallocated clusters
Evidence Analysis: File Signature verification: Encase can compare each file header to library of over 220 unique known signatures in order to determine file type, eg.doc,.jpg, etc How is this useful?
Evidence Analysis: Can assist in finding files with changed extensions For example renaming a.jpg file with a.txt extension: Case one: A file header matches a known value but the extension does not match Can do for every file and quick sort to search for inconsistencies
Evidence Analysis: Case two: A file header matches a known value but the file does not have an extension Encase will act consistent with header when file is double clicked, eg launch Excel for a file matching Excel header Encase will act consistent with header when file is viewed, eg Gallery view will display pictures even though no extensions Useful for file systems with Macintosh HFS file system
Hash computation: Calculate the MD5 hash of every file Evidence Analysis:
Hash computation: Evidence Analysis: Uses: Find specific file Third party may provide hashes to search Malware, illegal images, etc Filter known files Faster searches! Example…
Evidence Analysis: Import NIST known OS md5 hashes available on their web site
Evidence Analysis: Encase now indicates “*known” files (* used for sorting purposes):
Evidence Analysis: Now use an Encase Filter to remove these files from view and searches: In this case, reduced 21,088 files to 14,787 30% less files to search!
Evidence Analysis: Data Carving within Encase Can matching headers/footers/file size/etc and search through unallocated space and “carve” out file and save to forensic machine for review Commonly search for jpegs, html, etc Since searching through unallocated space, the files found may not be compete Encase provides EnScript to do (similar to C++)
Evidence Analysis: Run EnScript:
Evidence Analysis: Carve out any found jpegs in the unallocated clusters Likely include incomplete jpegs since may have been overwritten
Evidence Analysis: Recovery of deleted files:
Evidence Analysis: Example of wiping files in software: Encrypt existing folder using Microsoft Encrypting File System (EFS). Note TMP artifact left after conversion Use the cipher command to wipe directory: Result:
Evidence Analysis: Recycle Bin: Windows 98, NT, 2000, XP The default process when a file is moved to the Recycling bin. 1. New file entry in Recycle Bin 2. Additional about the file in a hidden system file named INFO2 Most important can be the delete date and time
Evidence Analysis: Each INFO2 record 800 bytes When the file is deleted, the file is remove as well as the corresponding INFO2 record both of which may be recoverable Example..
Evidence Analysis: INFO2 file found in the recycler bin: Can sweep 800 bytes: Bookmark to display information:
Evidence Analysis: Encase allows the ability to export the acquired files as a windows share on forensic machine. How may this be useful?
Evidence Analysis: This is useful to allow third party tools to analyze the export share of suspect files Examples…
Evidence Analysis: Virus Checking of suspect drive:
Windows Artifacts: Recent/: Recently accessed files, programs, etc Stored at this location as link files. Documents and Settings/USER/ Print spooler Past printouts written to disk Search for EMF files in unallocated space
Evidence Analysis: View web cache: View browser history:
Restoring evidence Export programs to run on forensic machine Boot into suspects drive Commonly use VMware Event reconstruction:
Encase allows acquired files to be exported as a physical disk Event reconstruction:
VMware can use Encase embedded image directly and allow virtually booting into suspect drive: Event reconstruction:
Use software to reset password to allow access: Event reconstruction:
Resources: Windows Forensics and Incident Recovery, Carvey File System Forensic Anaylsis, Carrier Forensic Discovery, Farmer, Venema Windows dd Encase FTK Ultimate Write Blocker Kit NIST Hashes The Sleuth Kit (TSK) Paraben Software