Presentation is loading. Please wait.

Presentation is loading. Please wait.

URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491 CS 491 -Digital Forensics URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491.

Published byEdward Hall Modified over 5 years ago

Similar presentations

Presentation on theme: "URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491 CS 491 -Digital Forensics URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491."— Presentation transcript:

1 URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491
CS 491 -Digital Forensics URL:

2 Presentation Topics Electronic security, information security systems, systems and network security Vulnerability research, ethical hacking, zero day attack, attack pattern recognition Computational immunology, authentication authorizations Security in mobile platforms, mobile agents/artificial intelligence Security: security policies/procedures, strategic approaches, requirements engineering Identity: theft, management systems, access management systems Open source intelligence, criminal data mining/network analysis/intelligence Phishing/pharming/spearphishing, cyber war, cybercrime detection/analysis Digital cities, GSM-solicited crime Computer/mobile device/network/software forensics, anti-forensics Digital forensics tools/techniques/standardization, testing/approvals for forensic tools Crime scene/search and seizure processes, criminal investigation of mobile devices Investigative techniques, judicial processes, legal/ethical issues, cyber crime legislations Digital and physical surveillance, digital image manipulation Cryptographic algorithms/protocols, steganography, hidden data

3 Digital Forensics Definition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.” Devices include computers, tablets, cellular phones, videogame consoles…

4 Examples of Digital Evidence
Computers increasingly involved in criminal and corporate investigations Digital evidence may play a supporting role or be the “smoking gun” Harassment or threats Blackmail Illegal transmission of internal corporate documents

5 Examples of Digital Evidence
Meeting points/times for drug deals Suicide letters Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or attacks Use of a machine as a spam generator Use of a machine to distribute illegally copied software

6 Major Issues Identification of potential digital evidence
Where might the evidence be? Which devices did the suspect use? Preservation of evidence On the crime scene… First, stabilize evidence…prevent loss and contamination If possible, make identical copies of evidence for examination Careful extraction and examination of evidence

7 Major Issues Presentation
“The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore ‘HITLIST.DOC’…” “The suspect attempted to hide the Microsoft Word document ‘HITLIST.DOC’ but I was able to recover it without tampering with the file contents.” Legal: Investigatory needs meet privacy

8 Preservation of Evidence: Hardly trivial…
tick…tick…tick… “Dear Susan, It’s not your fault… Just pull the plug? Move the mouse for a quick peek? Tripwires Remove battery Shut down? Basement/closet wireless connection Volatile computing Living room

9 Preservation: Imaging
When making copies of media to be investigated, must prevent accidental modification or destruction of evidence! Write blockers: Use them. Always. dd under Linux DOS boot floppies Proprietary imaging solutions Drivelock write blocker

10 Extraction and Examination
Know where evidence can be found Understand techniques used to hide or “destroy” digital data Toolbox of techniques to discover hidden data and recover “destroyed” data Cope with HUGE quantities of digital data… Ignore the irrelevant and target the relevant

11 Where’s the evidence? Undeleted files, expect some names to be incorrect Deleted files Windows registry Print spool files Hibernation files (Windows: compressed hyberfil.sys) Temp files (all those .TMP files!) Slack space (unused space between files) Swap files Browser caches Alternate partitions On a variety of removable media: Really antiquated floppies ZIP drives Flash drives Hard Drives Cloud

12 Fallacy vs. Fact in Digital Forensics
Many digital forensics tools and techniques are quite complex… To illustrate investigative procedures for digital forensics, a fact vs. fallacy approach Fallacy: User attempting to hide evidence believes one thing… Fact: But in fact…

13 Fallacy: File was deleted, it’s gone!
Users often mistake normal deletion of files for “secure” deletion Deleted files recoverable using forensics tools Why? Filesystem makes a small change in its bookkeeping info to mark a file as deleted

14 Fallacy: File was deleted, it’s gone!
Data associated with file is NOT erased Example: FAT32 (Windows), first character of filename is changed to 0xEF in directory entry to “delete” file Forensics software changes one character in directory entry, file reappears To prevent recovery, must perform secure overwrite of the file or physically destroy the media

15 Fallacy: I renamed the file, I’m safe!
“childporn.jpg”  “winword.exe” Renaming files is an ineffective defense against digital forensics investigation Technique # 1: Most file types (e.g., JPEG image) have a structure that can be recognized directly, regardless of the filename a user chooses e.g., JPEG files contain 0x4a or 0x in the first block of the file

16 Fallacy: I renamed the file, I’m safe!
Technique # 2: Cryptographic hashing provides a mechanism for “fingerprinting” files File contents is matched quickly, regardless of name Hashes equivalent, file contents equivalent Think: fingerprints don’t care about hair color…

17 Hashing Typical algorithms: SHA-1, MD5 Example:
$ md5sum foo.jpg b28f08b004a7251a418e089ef3bb7409 *foo.jpg $ mv foo.jpg bar.exe $ md5sum bar.exe b28f08b004a7251a418e089ef3bb7409 *bar.exe Can automate checking of hashes Huge dictionaries exist with hashes for known files: …and known child pornography files Can quickly disregard known files and target the interesting stuff

18 Fallacy: I format-ed the drive, whew!
Formatting a drive does not prevent recovery of digital evidence In fact, format typically overwrites less than 1% of drive contents Why does it take so long? Format is reading disk blocks to determine if bad blocks exist

19 Fallacy: I format-ed the drive, whew!
Format wipes out directories, so names of files are lost A lot of the data can still be recovered by sifting through data that remains after the format operation For example, file carving tools reconstruct files by examining the initial and terminal bytes of the file See digital forensics Technique # 1 under file renaming fallacy

20 Fallacy: Media mutilation == Miller time!
# 1: Cutting a floppy into pieces # 2: Opening a hard drive, removing the platters, throwing them into the trash #3: Burn it #4: Soak in diluted hydrochloric acid #5: Drill holes

21 Media mutilation Even strong magnetic fields are insufficient…
Older “military grade” degausser for erasing hard drives was so strong that it bent the platters inside the drive Your bulk tape eraser isn’t going to do the job To destroy data: multiple overwrites (software) or complete destruction of hardware

22 Fallacy: Media mutilation == Miller time!
Unless the damage is extreme, mutilation of magnetic media is insufficient to prevent recovery Media can be reassembled and partial recovery performed Remove platter and sand grind (overkill) Thermite destruction (over overkill) Degauss with neodymium magnets (cheap) Place platter between two magnets.

23 That’s One Big Degausser!

24 Fallacy: I used Web-based email…
Fallacy: Use of web-based rather than storing messages directly on a computer is safer (in terms of thwarting recovery attempts) It’s not. Even if you never download the and immediately delete all messages on the server! Recently viewed web pages are stored in web browser’s cache Cache is often in a hard-to-find place…

25 Fallacy: I used Web-based email…
Internet Explorer  Tools  Internet Options  Delete Files clears the cache in IE Files stored in browser cache are not securely deleted when the cache is cleared Browser cache mining tools bring recently viewed web pages, including web-based messages, back to life in a flash

26 Fallacy: Application uninstalls are easy…
Illegal application installed… Fear ensues… Application is uninstalled… (Am I safe?) …application files can still be undeleted, proving application was installed Further steps to obscure installation: Securely overwrite application files

27 Fallacy: Application uninstalls are easy…
Now am I safe? Nope. Remnants of installation can likely still be found in the Windows registry Basically, if a user installs software and wants to permanently eradicate any traces, must securely erase the entire drive or destroy the hardware

28 Fallacy: I encrypted my files…
On encrypted file systems, if file is ever printed and spool directory isn’t encrypted, fragments may be left behind On Window systems (e.g., Windows 2000), a “recovery agent” is able to read all encrypted files Thus just need to break administrator password Problem: keys for truly secure encryption schemes are long

29 Fallacy: I encrypted my files…
Search for slips of paper Search for unencrypted password lists Search PDAs, phones, and organizers for passwords and encryption keys Software or hardware keystroke loggers Van Eck radiation If the file can’t be decrypted, the name of the file may still be useful in prosecution

30 Beowulf, Slayer of Poorly Chosen Passwords…
How good are your passwords?

31 Steganography “Techniques for hiding information within other information” Historical Tattoos Text on wood under wax layer on a wax tablet “Invisible” ink (e.g., writing with lemon juice) Modern Much more sophisticated Employ powerful encryption techniques Hide documents w/in an image, video, or audio file Hidden documents can be harmless, or child pornography, bomb plans, …

32 Stego (2)

33 Stego (3)

34 Stego (4) Statistical analysis by “stegdetect” guesses correctly that something is hidden. However, jphide uses Blowfish to scramble the order of embedded data, so successful extraction is very unlikely unless the password is known.

35 Stego (5) Igniter Core This “bomb” diagram, however,
is not detected inside the cactus picture…

36 Bluepipe: A Scalable Architecture for On-the-Spot Digital Forensics
1. Plug in a USB dongle to enable wireless communication with the target computer 2. Boot the target computer using a Bluepipe boot CD 3. Launch the Bluepipe application on a PDA or lap-top. Must ensure that the target computer boots from the Bluepipe boot CD

37 Legal Issues Investigative needs vs. the right to privacy
Search warrant laws, e.g., Fourth Amendment to the U.S. Constitution Wiretap laws Chain of custody

38 Legal Issues Admissibility of evidence in court: Patriot Act
Daubert standard: Has theory or technique in question been tested? Is error rate known? Widespread acceptance within a relevant scientific community? Patriot Act Greatly expands governmental powers in terms of searching, wiretap w/o prior notification

39 The Other Side: Privacy
We’ve concentrated on the cool technology, but… The existence of sophisticated digital forensics techniques is a great enabler for fascism Actively fight laws that don’t appropriately balance privacy with need for investigation Secure file deletion software

40 The Other Side: Privacy
Overwriting files with zeros is good enough unless a tunneling electron microscope is available… Volatile computing Physical destruction of media Grind the media into powder Vats of acid or molten steel

41 Resources Books Websites http://www.dfrws.org
Digital Evidence and Computer Crime (E. Casey, Academic Press) Computer Forensics and Privacy (M. Caloyannides, Artech House) Websites Lots of references related to digital forensics, including a link to an interesting e-journal… (International Journal of Digital Evidence) tons of stuff, including a bunch of online papers Huge collection of forensics-related software Commercial digital forensics software Encase FTK (Forensics Tool Kit) ILook (law enforcement only) WinHex

Download ppt "URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491 CS 491 -Digital Forensics URL: http://www.cs.uwec.edu/~tan/priv/www-docs/cs491."

Similar presentations

Computer Forensics.

Computer Forensics.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
File Management Systems

File Management Systems
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.

In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?

Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Similar presentations

Ads by Google