CSE 4482: Computer Security Management: Assessment and Forensics Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition. 4/17/2017

GFCI Ch 1: Computer Forensics Objectives Define computer forensics Describe how to prepare for computer investigations and explain the difference between law enforcement agency and corporate investigations Explain the importance of maintaining professional conduct 2 2

What is Computer Forensics? Definition: Involves obtaining and analyzing digital information, often as evidence in civil, criminal, or administrative cases Computer forensics: Investigates data that can be retrieved from a computer’s hard disk or other storage media Task of recovering data that users have hidden or deleted and using it as evidence Evidence can be inculpatory (“incriminating”) or exculpatory 3 3

Computer Forensics Versus Other Related Disciplines Network forensics Yields information about how a perpetrator or an attacker gained access to a network Data recovery Recovering information that was deleted by mistake, or lost during a power surge or server crash Typically you know what you’re looking for 4 4

Computer Forensics Versus Other Related Disciplines (continued) Disaster recovery Uses computer forensics techniques to retrieve information their clients have lost Investigators often work as a team to make computers and networks secure in an organization 5 5

Digital Evidence Locard’s principle: “every contact leaves a trace” any information, stored or transmitted in digital form, that a party to a court case may use at a trial To be accepted in court, digital evidence must meet certain criteria … Admissibility Authenticity

Case study In this case, American Express (Amex) claimed that Mr. Vinhnee had failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence. Among other problems, the court said that Amex failed to provide adequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records. The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“ http://www.proofspace.com/technology/discovery.php

Lessons Document your access control and backup procedures and policies and test effectiveness of your controls. Have the changes to your databases and content/record management system routinely recorded and logged. Protect your electronic record from post-archival tampering with modern data integrity and trusted time-stamping technologies. Document the audit procedures you use to provide assurance of the continuing authenticity of the records. http://www.proofspace.com/technology/discovery.php

The Investigations Triad 9 9

Computer Forensics: A Brief History By the 1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know enough about computers to ask the right questions Or to preserve evidence for trial 1980s PCs gained popularity and different OSs emerged Disk Operating System (DOS) was available Forensics tools were simple, and most were generated by government agencies 10 10

A Brief History (1980s) Mid-1980s 1987 Apple Mac SE - Xtree Gold appeared on the market Recognized file types and retrieved lost or deleted files Norton DiskEdit soon followed And became the best tool for finding deleted file 1987 Apple Mac SE - A Macintosh with an external EasyDrive hard disk with 60 MB of storage 11 11

A Brief History (1990s) Tools for computer forensics were available International Association of Computer Investigative Specialists (IACIS) Training on software for forensics investigations IRS created search-warrant programs ExpertWitness for the Macintosh First commercial GUI software for computer forensics Created by ASR Data Recovers deleted files and fragments of deleted files Large hard disks posed problems for investigators Other software iLook AccessData Forensic Toolkit (FTK) 12 12

Understanding Case Law Technology is evolving at a very rapid pace Existing laws and statutes cannot keep up Case law used when statutes or regulations don’t exist Case law allows legal counsel to use previous cases similar to the current one Because the laws don’t yet exist Each case is evaluated on its own merit and issues Computer Crime & Intellectual Property document at US DoJ: http://www.cybercrime.gov/ssmanual/index.html 13 13

Case study case law does not involve creating new criminal offenses “… an investigator viewing computer files by using a search warrant related to drug dealing. While viewing the files, he ran across images of child pornography. Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding the pictures was excluded. Investigators must be familiar with recent rulings to avoid making similar mistakes.” case law does not involve creating new criminal offenses

Developing Computer Forensics Resources know more than one computing platform Such as DOS, Windows 9x, Linux, Macintosh, and current Windows platforms Join many computer user groups - Computer Technology Investigators Network (CTIN) Meets monthly to discuss problems that law enforcement and corporations face High Technology Crime Investigation Association (HTCIA) Exchanges information about techniques related to computer investigations and security 15 15

Developing Computer Forensics Resources (continued) User groups can be helpful Build a network of computer forensics experts and other professionals And keep in touch through e-mail Outside experts can provide detailed information you need to retrieve digital evidence 16 16

Case Study A user group helped convict a child molester in Pierce County, Washington, in 1996. The suspect installed video cameras throughout his house, served alcohol to young women to intoxicate them, and secretly filmed them playing strip poker. When he was accused of molesting a child, police seized his computers and other physical evidence. The investigator discovered that the computers used CoCo DOS, an OS that had been out of use for years. The investigator contacted a local user group, which supplied the standard commands and other information needed to gain access to the system. On the suspect’s computer, the investigator found a diary detailing the suspect’s actions over the past 15 years, including the molestation of more than 400 young women. As a result, the suspect received a longer sentence than if he had been convicted of molesting only one child.

Investigating Computers Typically includes collecting computer data securely, examining suspect data to determine details such as origin and content, presenting compute-based information to courts, and applying laws to computer practice. Two distinct categories Public investigations Private or corporate investigations

Public investigations Involve government agencies responsible for criminal investigations and prosecution Organizations must observe legal guidelines Law of search and seizure: Protects rights of all people, incl. suspects 19 19

Private Investigations Private or corporate investigations Deal with private companies, non-law-enforcement government agencies, and lawyers Aren’t governed directly by criminal law or Fourth Amendment issues Governed by internal policies that define expected employee behavior and conduct in the workplace Private corporate investigations also involve litigation disputes Investigations are usually conducted in civil cases 20 20

Understanding Law Enforcements Agency Investigations In a criminal case, a suspect is tried for a criminal offense Such as burglary, murder, or molestation Computers and networks are only tools that can be used to commit crimes Many states have added specific language to criminal codes to define crimes involving computers Following the legal process Legal processes depend on local custom, legislative standards, and rules of evidence 21 21

Understanding LEA Investigations (continued) Criminal case follows three stages: The complaint, the investigation, and the prosecution 22 22

Understanding LEA Investigations (continued) A criminal case begins when someone finds evidence of an illegal act Complainant makes an allegation, an accusation or supposition of fact A police officer interviews the complainant and writes a report about the crime Police blotter provides a record of clues to crimes that have been committed previously Investigators delegate, collect, and process the information related to the complaint 23 23

Understanding LEA Investigations (continued) After a case is built, the information is turned over to the prosecutor Affidavit Sworn statement of support of facts about or evidence of a crime Submitted to a judge to request a search warrant Have the affidavit notarized under sworn oath Judge must approve and sign a search warrant, it can be used to collect evidence 24 24

Understanding LEA Investigations (continued) 25 25

Understanding Corporate Investigations Private or corporate investigations Involve private companies and lawyers who address company policy violations and litigation disputes Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage 26 26

Preventive measures Establishing company policies One way to avoid litigation is to publish and maintain policies that employees find easy to read and follow Published company policies provide a line of authority For a business to conduct internal investigations Well-defined policies Give computer investigators and forensic examiners the authority to conduct an investigation Displaying Warning Banners Another way to avoid litigation Usually appears when a computer starts or connects to the company intranet, network, or virtual private network 27 27

Preventive measures (continued) Warning banner Informs end users that the organization reserves the right to inspect computer systems and network traffic at will Establishes the right to conduct an investigation As a corporate computer investigator Make sure company displays well-defined warning banner 28 28

More on Corporate Investigations Designating an authorized requester Authorized requester has the power to conduct investigations Policy should be defined by executive management Groups that should have direct authority to request computer investigations Corporate Security Investigations Corporate Ethics Office Corporate Equal Employment Opportunity Office Internal Auditing The general counsel or Legal Department 29 29

Ch 2: Understanding Computer Investigations Objectives: Explain how to prepare a computer investigation Apply a systematic approach to an investigation Describe procedures for corporate high-tech investigations Explain requirements for data recovery workstations and software Describe how to conduct an investigation Explain how to complete and critique a case

Preparing a Computer Investigation Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Preserve the evidence on a different computer Follow an accepted procedure to prepare a case Chain of custody: Route the evidence takes from the time you find it until the case is closed or goes to court 31

Case study: CD Universe Prosecution Failure “An extortion attempt involving credit card numbers stolen from the computers of Internet retailer CD Universe occurred in January 2000. Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December 1999. Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcement had found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. The chain of custody had not been properly established. Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learn how Maxim got into the company’s network, FBI agents and employees from three computer security firms accessed original files instead of working from a forensic copy. …”

An Overview of a Computer Crime Computers can contain information that helps law enforcement determine: Chain of events leading to a crime Evidence that can lead to a conviction Law enforcement officers should follow proper procedure when acquiring the evidence Digital evidence can be easily altered by an overeager investigator Information on hard disks might be password protected Guidelines: Ch 1, 2 in http://www.cybercrime.gov/ssmanual/index.html 33

Examining a Computer Crime 34

An Overview of a Company Policy Violation Employees misusing resources can cost companies millions of dollars Misuse includes: Surfing the Internet Sending personal e-mails Using company computers for personal tasks Example: Two employees have gone missing… 35

Taking a Systematic Approach Steps for problem solving Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach Create a detailed checklist Determine the resources you need Obtain and copy an evidence disk drive Identify the risks Mitigate or minimize the risks Test the design 36

Taking a Systematic Approach II Steps for problem solving (continued) Analyze and recover the digital evidence Investigate the data you recover Complete the case report Critique the case 37

Assessing the Case Systematically outline the case details Situation Nature of the case Specifics of the case Type of evidence Operating system Known disk format Location of evidence Based on case details, you can determine the case requirements Computer forensics tools Special operating systems 38

Planning an Investigation A basic investigation plan should include: Acquire the evidence Complete an evidence form and establish a chain of custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools 39

Securing Your Evidence Use evidence bags to secure and catalog the evidence Use computer safe products Antistatic bags Antistatic pads Use well padded containers Use evidence tape to seal all openings Floppy disk or CD drives Power supply electrical cord Write your initials on tape to prove that evidence has not been tampered with Consider computer specific temperature and humidity ranges 40

Procedures for Corporate High-Tech Investigations Develop formal procedures and informal checklists, to cover all issues important to high-tech investigations Majority of investigative work for termination cases involves employee abuse of corporate assets 41

Internet abuse investigations To conduct an investigation you need: Organization’s Internet proxy server logs Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool Recommended steps Use standard forensic analysis techniques and procedures Use appropriate tools to extract all Web page URL information Contact the network firewall administrator and request a proxy server log Compare the data recovered from forensic analysis to the proxy server log Continue analyzing the computer’s disk drive data 42

E-mail abuse investigations To conduct an investigation you need: An electronic copy of the offending e-mail that contains message header data If available, e-mail server log records For e-mail systems that store users’ messages on a central server, access to the server Access to the computer for performing forensic analysis Your preferred computer forensics analysis tool Recommended steps Use the standard forensic analysis techniques Obtain an electronic copy of the suspect’s and victim’s e-mail folder or data For Web-based e-mail investigations, use tools such as FTK’s Internet Keyword Search option to extract all related e-mail address information Examine header data of all messages of interest 43

Attorney-Client Privilege Investigations Under attorney-client privilege (ACP) rules for an attorney You must keep all findings confidential The extra secrecy introduces additional problems 44

Media Leak Investigations In the corporate environment, controlling sensitive data can be difficult Consider the following for media leak investigations Examine e-mail Examine Internet message boards Examine proxy server logs Examine known suspects’ workstations Examine all company telephone records Steps to take for media leaks Interview management privately To get a list of employees who have direct knowledge of the sensitive data Identify media source that published the information Review company phone records Obtain a list of keywords related to the media leak Perform keyword searches on proxy and e-mail servers 45

Media Leak Investigations II Steps to take for media leaks (continued) Discreetly conduct forensic disk acquisitions and analysis From the forensic disk examinations, analyze all e-mail correspondence And trace any sensitive messages to other people Expand the discreet forensic disk acquisition and analysis Consolidate and review your findings periodically Routinely report findings to management 46

Industrial Espionage Investigations All suspected industrial espionage cases should be treated as criminal investigations Staff needed Computing investigator who is responsible for disk forensic examinations Technology specialist who is knowledgeable of the suspected compromised technical data Network specialist who can perform log analysis and set up network sniffers Threat assessment specialist (typically an attorney) Many guidelines in the text. 47

Understanding Data Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and data-recovery are related but different Computer forensics workstation Specially configured personal computer Loaded with additional bays and forensics software To avoid altering the evidence use: Forensics boot floppy disk Write-blockers devices 48

Setting Up your Computer for Computer Forensics Basic requirements A workstation running Windows XP or Vista A write-blocker device Computer forensics acquisition tool Computer forensics analysis tool Target drive to receive the source or suspect disk data Spare PATA or SATA ports USB ports Additional useful items Network interface card (NIC) Extra USB ports FireWire 400/800 ports SCSI card Disk editor tool Text editor tool Graphics viewer program Other specialized viewing tools 49

Bit-Stream Copies Bit-stream copy Bit-stream image Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments Bit-stream image File containing the bit-stream copy of all data on a disk or partition Also known as forensic copy Copy image file to a target disk that matches the original disk’s manufacturer, size and model 50

Bit-stream Copies (continued) 51

Acquiring an Image of Evidence Media First rule of computer forensics: Preserve the original evidence Conduct your analysis on a copy of the data Using ProDiscover Basic to acquire a thumb drive Create a work folder for data storage Steps On the thumb drive locate the write-protect switch and place the drive in write-protect mode Start ProDiscover Basic 52

ProDiscover use (continued) 53

ProDiscover use (continued) Using ProDiscover Basic to acquire a thumb drive (continued) Steps (continued) In the main window, click Action, Capture Image from the menu Click the Source Drive drop-down list, and select the thumb drive Click the >> button next to the Destination text box Type your name in the Technician Name text box ProDiscover Basic then acquires an image of the USB thumb drive Click OK in the completion message box 54

ProDiscover use (continued) 55

Analyzing Digital Evidence Your job is to recover data from: Deleted files File fragments Complete files Deleted files linger on the disk until new data is saved on the same physical location Tool ProDiscover Basic 56

Analyzing Digital Evidence (contd) Steps Start ProDiscover Basic Create a new case Type the project number Add an Image File Steps to display the contents of the acquired data Click to expand Content View Click All Files under the image filename path 57

Analyzing Digital Evidence (continued) 58

Analyzing Digital Evidence (contd) Analyze the data Search for information related to the complaint Data analysis can be most time-consuming task 59

ProDiscover Basic can Search for keywords of interest in the case Display the results in a search results window Click each file in the search results window and examine its content in the data area Export the data to a folder of your choice Search for specific filenames Generate a report of your activities 60

ProDiscover Basic - contd 61

ProDiscover Basic - contd 62

Completing the Case You need to produce a final report State what you did and what you found Include ProDiscover report to document your work Repeatable findings Repeat the steps and produce the same result If required, use a report template Report should show conclusive evidence Suspect did or did not commit a crime or violate a company policy 63

Critiquing the Case Ask yourself the following questions: How could you improve your performance in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research? 64

Next: Ch 4 - Data Acquisition Objectives List digital evidence storage formats Explain ways to determine the best acquisition method Describe contingency planning for data acquisitions Explain how to use acquisition tools Explain how to validate data acquisitions Describe RAID acquisition methods Explain how to use remote network acquisition tools List other forensic tools available for data acquisitions

Understanding Storage Formats for Digital Evidence Three formats Raw format Proprietary formats Advanced Forensics Format (AFF) 66

Raw Format Makes it possible to write bit-stream data to files Advantages Fast data transfers Can ignore minor data read errors on source drive Most computer forensics tools can read raw format Disadvantages Requires as much storage as original disk or data Tools might not collect marginal (bad) sectors 67

Proprietary Formats Features offered Disadvantages Option to compress or not compress image files Can split an image into smaller segmented files Can integrate metadata into the image file Disadvantages Inability to share an image between different tools File size limitation for each segmented volume 68

Advanced Forensics Format Open source, developed by Dr. Simson L. Garfinkel of Basis Technology Corporation Design goals Provide compressed or uncompressed image files No size restriction for disk-to-image files Provide space in the image file or segmented files for metadata Simple design with extensibility Internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata 69

Types of Data Acquisition Static acquisitions and live acquisitions Four methods Bit-stream disk-to-image file Bit-stream disk-to-disk Logical disk-to-disk or disk-to-disk data Sparse data copy of a file or folder 70

Bit stream copy Bit-stream disk-to-image file Bit-stream disk-to-disk Most common method Can make more than one copy Copies are bit-for-bit replications of the original drive ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLook Bit-stream disk-to-disk When disk-to-image copy is not possible Consider disk’s geometry configuration EnCase, SafeBack, SnapCopy 71

Logical acquisition or sparse acquisition When your time is limited Logical acquisition captures only specific files of interest to the case Sparse acquisition also collects fragments of unallocated (deleted) data For large disks PST or OST mail files, RAID servers 72

Determining the Best Acquisition Method (continued) When making a copy, consider: Size of the source disk Lossless compression might be useful Use digital signatures for verification When working with large drives, an alternative is using tape backup systems Whether you can retain the disk 73

Contingency Planning for Image Acquisitions Create a duplicate copy of your evidence image file Make at least two images of digital evidence Use different tools or techniques Copy host protected area of a disk drive as well Consider using a hardware acquisition tool that can access the drive at the BIOS level Be prepared to deal with encrypted drives Whole disk encryption feature in Windows Vista Ultimate and Enterprise editions 74

Using Acquisition Tools Acquisition tools for Windows Advantages Make acquiring evidence from a suspect drive more convenient Especially when used with hot-swappable devices Disadvantages Must protect acquired data with a well-tested write-blocking hardware device Tools can’t acquire data from a disk’s host protected area 75

Windows XP Write-Protection with USB Devices USB write-protection feature Blocks any writing to USB devices Target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI controller Steps to update the Registry for Windows XP SP2 Back up the Registry Modify the Registry with the write-protection feature Create two desktop icons to automate switching between enabling and disabling writes to USB device 76

Windows XP Write-Protection with USB Devices (continued) 77

Acquiring Data with a Linux Boot CD Linux can access a drive that isn’t mounted Windows OSs and newer Linux automatically mount and access a drive Forensic Linux Live CDs don’t access media automatically Which eliminates the need for a write-blocker Using Linux Live CD Distributions Forensic Linux Live CDs Contain additionally utilities 78

Acquiring Data with a Linux Boot CD (continued) Using Linux Live CD Distributions (continued) Forensic Linux Live CDs (continued) Configured not to mount, or to mount as read-only, any connected storage media Well-designed Linux Live CDs for computer forensics Helix Penguin Sleuth FCCU Preparing a target drive for acquisition in Linux Linux distributions can create Microsoft FAT and NTFS partition tables 79

Acquiring Data with a Linux Boot CD (continued) Preparing a target drive for acquisition in Linux (continued) fdisk command lists, creates, deletes, and verifies partitions in Linux mkfs.msdos command formats a FAT file system from Linux Acquiring data with dd in Linux dd (“data dump”) command Can read and write from media device and data file Creates raw format file that most computer forensics analysis tools can read 80

Acquiring Data with dd (contd) Shortcomings of dd command Requires more advanced skills than average user Does not compress data dd command is intended as a data management tool, not designed for forensics acquisitions dd command combined with the split command: Segments output into separate volumes Acquiring data with dcfldd in Linux dcfldd additional functions Specify hex patterns or text for clearing disk space Log errors to an output file for analysis and review Use several hashing options Refer to a status display indicating the progress of the acquisition in bytes Split data acquisitions into segmented volumes with numeric extensions Verify acquired data with original disk or media data 81

Capturing an Image with ProDiscover Basic Connecting the suspect’s drive to your workstation Document the chain of evidence for the drive Remove the drive from the suspect’s computer Configure the suspect drive’s jumpers as needed Connect the suspect drive Create a storage folder on the target drive Using ProDiscover’s Proprietary Acquisition Format Image file will be split into segments of 650MB Creates image files with an .eve extension, a log file (.log extension), and a special inventory file (.pds extension) 82

Capturing an Image with ProDiscover Basic (continued) 83

84

Capturing an Image with ProDiscover Basic (continued) Using ProDiscover’s Raw Acquisition Format Select the UNIX style dd format in the Image Format list box Raw acquisition saves only the image data and hash value 85

Capturing an Image with AccessData FTK Imager Included on AccessData Forensic Toolkit View evidence disks and disk-to-image files Makes disk-to-image copies of evidence drives At logical partition and physical drive level Can segment the image file Evidence drive must have a hardware write-blocking device Or the USB write-protection Registry feature enabled FTK Imager can’t acquire drive’s host protected area 86

Capturing an Image with AccessData FTK Imager II 87

Capturing an Image with AccessData FTK Imager III Steps Boot to Windows Connect evidence disk to a write-blocker Connect target disk to write-blocker Start FTK Imager Create Disk Image Use Physical Drive option 88

Capturing an Image with AccessData FTK Imager IV 89

Validating Data Acquisitions Most critical aspect of computer forensics Requires using a hashing algorithm utility Validation techniques CRC-32, MD5, and SHA-1 to SHA-512 90

Linux Validation Methods Validating dd acquired data You can use md5sum or sha1sum utilities md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes Validating dcfldd acquired data Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 hashlog option outputs hash results to a text file that can be stored with the image files vf (verify file) option compares the image file to the original medium 91

Windows Validation Methods Windows has no built-in hashing algorithm tools for computer forensics Third-party utilities can be used Commercial computer forensics programs also have built-in validation features Each program has its own validation technique Raw format image files don’t contain metadata Separate manual validation is recommended for all raw acquisitions 92

Performing RAID Data Acquisitions Size is the biggest concern Many RAID systems now have terabytes of data What is RAID and what is it used for? Redundant array of independent (formerly “inexpensive”) disks (RAID) Computer configuration involving two or more disks Originally developed as a data-redundancy measure 93