Download presentation
Presentation is loading. Please wait.
Published byChester Horn Modified over 9 years ago
1
Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC Slides at: www.speakwisdom.com brent@speakwisdom.com
2
Caveat I am not dispensing legal advice Use what you hear, read, and do at your own risk Consult with your legal advisor when conducting an investigation
3
The Need for Computer Forensics
4
Anyone can access anything via the internet Students, faculty, staff and parents doing bad stuff! Technology is more sophisticated –Faster –More portable Schools have perceived responsibility
5
Concerns Pornography –Child Pornography Emails –Threatening –Relationship related Instant Messages Web sites (MySpace) –Bullying –Faculty pages
8
Bringing Things to School Flash Memory Devices Containing what?
9
PDA’s and Cell Phones Palm –Fading? –Lots of aps and storage (flash) –Infrared and BlueTooth beaming Windows Mobile –Lots of storage (flash) –Familiar interface –Easily networked (WiFi, Bluetooth) –View photos and movies –Capture images, sound
10
More Threats Downloads –To School PCs CDs/DVDs Social Networking Sites –FaceBook –MySpace Phishing –Emails & Web sites
11
Objectives Gain Basic Knowledge –What is Computer Forensics? –Concepts –Procedures –What Not to Do? –What to do Next? Learn some basic techniques Raise level of awareness
12
Do You Have a Duty To Report? Yes, if you suspect a crime has been committed Yes, if you suspect “sexual exploitation” including conduct involving child pornography. Once you bring in police, you stop forensic work.
13
Kinds of Forensics PC/Laptop –Files, email, internet activity Device –Cell phone –PDA –MP3 Player (iPod!) Network –Internet traffic –Local/wireless traffic
14
Places High Technology Crime Investigation Association –www.htcia.orgwww.htcia.org Atlanta HTCIA –www.atlhtcia.orgwww.atlhtcia.org Southeast Cybercrime Summit –www.southeastcybercrimesummit.comwww.southeastcybercrimesummit.com
15
Places Access Data (FTK) –www.accessdata.comwww.accessdata.com X-Ways Forensics (winhex) –www.x-ways.comwww.x-ways.com ProDiscover –www.techpathways.comwww.techpathways.com Helix –www.e-fense.comwww.e-fense.com
16
Certification Certified Computer Examiner –http://www.certified-computer- examiner.com/index.htmlhttp://www.certified-computer- examiner.com/index.html More –Google search “computer forensics” Books –Plenty! –Check Amazon, BN, etc.
17
Preparation What to Do Before You Start You need the right people!
18
Build a Response Team Cover all bases –Legal, Technical, Law Enforcement, PR Attorney or Legal Advisor Strong “Geek” –Vast knowledge required School Law Enforcement Person, Local Police Public Relations
19
Incident Response Plan Response plan –Who is called? –How others are notified? Clear process –Who has responsibility for what? –Decision Points Policy issue / Legal issue Coordinate with law enforcement –As appropriate
20
Someone Must Know Your Hardware & Software Servers Workstations PDAs CD-ROM, CD/DVD Webcams Modems Key Loggers USB Devices Wireless Windows –9x, 2000, 2003, XP Unix/Linux OS X DOS FAT NTFS EXT2/EXT3
21
Someone Must Know Auditing and Logging Know where OS keep logs Know kinds of OS logs –Windows Event viewer Auditing Date and time of device Date and time of log entries File/Directory date & time stamps
22
Computer Evidence
23
Will this End Up in Court? Assume your case will! Courts require ample unaltered evidence Evidence must be processed properly Specially trained team should always conduct investigation
24
Main Emphasis of Forensics Identify the Evidence Determine how to preserve the evidence Extract, process, and interpret the evidence Ensure that the evidence is acceptable in a court of law
25
Evidence Computer evidence is fragile Courts know that digital evidence is easily planted/altered You must be able to show that evidence is pristine and unmodified! See www.cybercrime.govwww.cybercrime.gov
26
Evidence Can include any form of electronic data Can include devices –Computers –CD-ROMs –Floppies –Cellular Telephones –Pagers –Digital Cameras
27
Rules More latitude in schools/businesses –Internal processes –Governed by policy documents –Expectation of privacy Law enforcement works under more restrictive rules –Subpoenas & search warrants –Chain of command –Agency boundaries
28
What to “Prosecute”? Harm inflicted? Violation of Written Policy? Policy communicated to teacher/student/parents? Investigation conducted by trained personnel? Successful investigation?
29
Problem in School Systems Security and Forensics projects don’t generate revenue –Or FTEs Hard to get “higher up” to understand need –Until superintendent and board picture is in the paper Money for training Politics of position
30
Training Training team is essential They need to –Learn basic procedures –Gain expertise in technical areas Sufficient Personal Interest? –Get Certified –Get degree
31
End User Training Users need to be aware –School System Policies –Requirements to guard information –Laws –Awareness Illegal Activities –Social Engineering –Spyware Consider Yearly Seminar Splash Screen
32
Investigation
33
Do It Right! Photograph system scene Take Notes (two present) Get the basics –System Model/SN –HD model and SN –System Date/Time –Bios BOOT info Power Down (pull plug) –Laptop – Pull battery
34
Evidence Gathering Have secure-erased drives ready Get Suspect Drive Image –Attach a write-blocker –Get two or more images of the drive Seal original drive –Place a copy of the drive back in the PC (if appropriate) Original drive should be locked away Control Chain of Custody
35
Capturing the Data Image
36
Preparing an Evidence Drive Use USB drive case
37
Preparing an Evidence Drive Use large drives Have several Secure-erase all drives –Record date, time, and method Store in locked area Software to Secure Erase? –Helix –WinHex Pro –ProDiscover
38
Prepare Evidence Drive –Connect to Analysis PC –WinHex Pro Select Physical Media (not Logical Drive) Edit / Fill Sectors / hex 00 Will take several minutes –(25 min for 40Gb)
39
Image Options Boot suspect PC with Helix –Easiest for laptops Attach USB evidence drive Use AIR or similar tool to image drive
40
Image Options Remove HD from Suspect, place as Slave in Analysis PC –Use Write Blocker Remove HD from PC, place in USB Case –Use Write Blocker Protect the original!
41
Image Options Get image –Multiple copies Image Type –Drive to Drive –Drive to Image File (DD)
45
Sources for Write Blockers www.digitalintelligence.com www.blackbagtech.com www.forensicpc.com
46
Other Image Options Use USB Evidence Drive –Boot PC with Knoppix or Helix CD –Open terminal window –dd if=/dev/hda of=/dev/sda –Speed: 1 hour per GB –Boot PC with Helix CD –Open terminal window –Dcfldd if=/dev/hda of=/dev/sda –Speed: 4 min per GB
47
Other Image Options –GHOST! Boot with BartPE CD –Open command window –Ghost32 –ir –fnf –(Image Raw, No Fingerprint) –Speed: 2 min per GB –GHOST! Version 7.5 or later Boot with Ghost Floppy –Ghost –ir -fnf
48
What is the Hash? Used to verify that image is accurate MD5 suspect drive or partition MD5 image Should match Record!
49
Extracting Information from Data
50
Analysis Work on Image, not Original Time Consuming! Tools Allow –Finding deleted files Images Email IE cache –Searching for text (“drugs”, etc.) –Show Hidden Files –Show Hidden Partitions or Drives
51
Definitions Unallocated Space –Space never used on a hard drive –Space made available by deleted files Slack Space –Space in a cluster not used by file data
52
1. Examine Suspect HD Boot Suspect PC with Helix Hidden Drive? (QTPARTED) Browse with File Manager –See images, open documents –See hidden partition Use Retriever –Path \media\sda1 –Find images
53
1a. Examine USB Evidence Drive Image in Windows Use Windows Disk Management MMC to look at Partition MyComputer Search Wrong Extension? Encrypted? MS TweakUI –Can be used to hide drive letters
54
2. Find Images (Not Deleted) ExifPro Easy
55
3. Find Deleted Files Great tool, easy to use
56
4. Examine in Windows Examine PC with Helix Windows –System Information Drive letter discrepancy? –Incident Response Windows Forensics Toolchest Security Reports (others want NetCat) –Scan for Images (no path information) –Windows Search (for files) –Disk Management (for drives, partitions)
57
WinHex Open.dd file Specialist –Interpret file as disk View all.jpg’s in file system –Tools, Disk Tools, Explore Recursively –You can add path column Look for.dbx files
58
WinHex Find.jpg’s in Unallocated space –Tools, Disk Tools, File Recovery by Type Find text in files –Search, Find Text (or Simultaneous Search)
59
Email - Outlook Express Local Settings\Application Data\Identities\…\Microsoft\Outloo k Express OE Reader (free) Mail stored in.dbx files Similar tools for Outlook.pst files
60
Passwords and Encryption
61
NTPassword –http://home.eunet.no/pnordahl/ntpass wd/ Password Tools –http://www.passwordportal.net/ –http://www.brothersoft.com/downloa ds/crack-password.html –http://www.elcomsoft.com/index.html –http://www.accessdata.com/
62
Steganography and Keystroke Logging Steganography –Try Steganote Keystroke logging –Try 007Starr
63
Common Forensics Tools
64
PRODISCOVER Create Case Add Image Content View –Examine Deleted Files Click check box on interesting file Make comment Gallery view
65
PRODISCOVER Content Search –Search for pattern Drugs, sex, etc. –Click Search Results Finds anything: docs and email! Search for *.jpg
66
PRODISCOVER What about files with wrong ext? –Pick Folder on Left Side –Tools – Signature Matching –Export Report
67
Pulling It All Together
68
You are now… Dangerous! Keep Going!
69
Questions?
70
Thank you! www.speakwisdom.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.