Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics BACS 371

Published byDwayne Potter Modified over 10 years ago

Similar presentations

Presentation on theme: "Computer Forensics BACS 371"— Presentation transcript:

1 Computer Forensics BACS 371
Evidentiary Methods II: Evidence Acquisition

2 OK, What do we do first?

3 Basic Forensic Methodology
Acquire the evidence (legally) Authenticate that it is the same as the original Analyze the data without modifying it

4 Photographing Systems
Before you do anything, begin documentation by photographing all aspects of the system… Monitor Desk and surrounding area All 4 sides of PC Labeled cables still connected

5 Evidence Acquisition Process1
Disassemble the Case of the Computer Identify storage devices that need to be acquired (internal/external/both) Document internal storage devices and hardware configuration Drive condition (make, model, geometry, size, jumper settings, location, drive interface, …) Internal components (sound card, video card, network card – including MAC address, PCMCIA cards, … Disconnect storage devices (power, data, or both) Controlled boots Capture CMOS/BIOS info (boot sequence, time/date, passwords) Controlled boot from forensic CD to test functionality (RAM, write- protected storage, …) Controlled boot to capture drive config (LBA, CHS, …) 1Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion,

6 Role of the First Responder
Scene of the Cybercrime1 Do No Harm! Identify the Crime Scene Protect the Crime Scene Preserve Temporary and Fragile Evidence A guide for First Responders2 Secure and Evaluate the Scene Document the Scene Collect Evidence Packaging, Transportation, and Storage of Evidence Forensic Examination 1Scene of the Cybercrime, Shinder & Tittel, p.553 2Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001

7 Role of Investigators1 Establish Chain of Command
Conduct Crime Scene Search Maintain Integrity of Evidence 1Scene of the Cybercrime, Shinder & Tittel, p.554

8 Role of Crime Scene Technician1
Preserve volatile evidence and duplicate disks Shut down systems for transport Tag and log evidence Transport evidence Process evidence 1Scene of the Cybercrime, Shinder & Tittel, p.555

9 Computer Seizure Checklist1
Photograph the monitor Preserve Volatile Data Shutdown Systems Photograph the System Setup PC – all sides Label all connections Unplug system and peripherals – mark & tag Bag and tag all components Bitstream Copy of Disk(s) - (offsite usually) Verify integrity of copies - (offsite usually) 1Scene of the Cybercrime, Shinder & Tittel, p.557

10 Handling, Transportation, Storage
Static Electricity External RF signals Heat Humidity Sunlight

11 Evidence Logs Lists all evidence collected
Description of each piece of evidence with serial numbers & other ID information Identifies who collected the evidence and why Date and Time of collection Disposition of Evidence All transfers of custody

12 Computer Evidence Worksheet

13 Evidence Tag Place or person from whom item was received
If item requires consent for search Description of items taken Information contained on storage device Data and time item was taken Full name and signature of individual initially receiving evidence Case and tag number

14 Evidence Label Case Number and Evidence Tag Number
Date and Time the evidence was collected Brief Description of items in envelope

15 Evidence Analysis Logs
How each step is performed Who was present What was done Result of procedure Time/date Document all potential evidence Filename Where on disk data are located Date and time stamps Network information (MAC address, IP address) Other file properties (metadata)

16 Evidence Log Tag # Date Action Taken By Location Case Number: 123412
13 Jan 01 Initial Submission Matt Pepe Maxtor 600GB ( ) 15 Mar 01 Moved evidence to tape 4mm tape #01101 Examined Evidence using EnCase FRED #7 Evidence Tag Number Date Action Taken Person performing action Identifying information

17 Preserve Volatile Data1
Order of Volatility2 Registers and Cache Routing Table, ARP Cache, Process Table, Kernel Statistics Contents of System Memory (RAM) Remote Logging and Monitoring Data Physical Configuration, Network Topology Temporary File Systems Data on Disk Archival Media ARP = Address Resolution Protocol 1Scene of the Cybercrime, Shinder & Tittel, p.559 2Guidelines for Evidence Collection and Archiving, IEEE, February 2002

18 Collecting Volatile Data
Tool Purpose netstat View current network connections nbstat arp View addresses in ARP (Address Resolution Protocol) cache plist List running processes (or view in Task Manager) ipconfig Gather information about the state of the network

19 netstat – current network connections

20 nbstat – NetBIOS name resolution

21 arp – addresses in ARP cache
Short for Address Resolution Protocol, ARP is a protocol used with the IP protocol for mapping a 32-bit Internet Protocol address to a MAC Address that is recognized in the local network specified in RFC 826. Once recognized, the server or networking device returns a response containing the required address.

22 ipconfig – state of network

23 Foundstone Tools Pasco
An Internet Explorer activity forensic analysis tool Galleta An Internet Explorer Cookie forensic analysis tool Rifiuti A Recycle Bin Forensic Analysis Tool Vision Reports all open TCP and UDP ports NTLast Security Audit Tool for WinNT Forensic Toolkit Tools to examine NTFS disk partition for unauthorized activity ShoWin Show information about Widows – reveal passwords BinText Finds ASCII, Unicode, and Resource strings in a file

24 Things to Avoid1 Don’t Shutdown until volatile evidence has been collected Don’t trust the programs on the system – use your own secure programs Don’t run programs which modify access times of files 1Guidelines for Evidence Collection and Archiving, IEEE, February 2002

25 Acquire the Evidence To shutdown, or to not shutdown, that is the question!
Do so Without damaging or altering the original Should you let the machine run, or pull the plug?? Run Retains maximum forensic evidence Pull Plug Removes a compromised computer from potentially affecting the whole network How to pull the plug From the back of the PC When the hard drive is not spinning Sound Drive Light Vibration

26 Making Backups File Backup vs. Bitstream Copy
Use Forensically Sterile media Make 2 backup copies (one to work with and one to store) Don’t access the original again! Bitstream is best Sterile means forensically wiped

27 Level of Effort to Protect Evidence…
If the evidence is going to be used in court VS. If the evidence is going to be used for internal investigation Evidence method should be the same for both situation in case it ever goes to court The more documentation the better

28 Forensic Analysis CYA Virus Check Collect System Information
Forensic computer Media being processed Collect System Information Complete computer hardware inventory CHKDISK/SCANDISK Look for “orphan clusters” Check for hidden partitions Document everything!

29 MD5 Hashing Wikipedia Entry Cryptographic Hash Function Hash Function
A hash function must be able to process an arbitrary- length message into a fixed-length output Hash Function Hash Collision Check Digit Cyclic Redundancy Check (CRC)

30 MD5 Hashing Algorithm1 One MD5 operation — MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each operation. <<<s denotes a left bit rotation by s places; s varies for each operation denotes addition modulo 232 There are four possible functions F, a different one is used in each round: 1Wikipedia

31 Integrity of Evidence+
Method Description Common Types Advantages Disadvantages Checksum Method for checking for errors in digital data. Uses 16- or 32-bit polynomial to compute 16 or 32 bit integer result. CRC-16 CRC-32 Easy to compute Fast Small data storage Useful for detecting random errors Low assurance against malicious attack Simple to create data with matching checksum One-Way Hash Method for protecting data against unauthorized change. Produces fixed length large integer (80~240 bits) representing digital data. Implements one-way function. SHA-1 MD5 MD4 MD2 Can detect both random errors and malicious alterations Must maintain secure storage of hash values Does not bind identity with data Does not bind time with data Digital Signature Secure method for binding identity of signer with digital data integrity methods such as one-way hash values. Uses public key crypto system. RSA DSA PGP Binds identity to integrity operation Prevents unauthorized regeneration of signature Slow Must protect private key +Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, (Oct 25, 2005)

32 Hashing Algorithms1 MD2 MD4 MD5 SHA HAVAL Algorithm Description
Developed by Ronald L. Rivest in 1989, this algorithm was optimized for 8-bit machines. MD4 Developed by Rivest in Using a PC, collisions can now be found in this version in less than one minute. MD5 Developed by Rivest in It was estimated in 1994 that it would cost $10 million to create a computer that could find collisions using brute force. SHA SHA-1 was a federal standard used by the government and private sector for handling sensitive information and was the most widely used hashing function. HAVAL A variation of the MD5 hashing algorithm that processes blocks twice the size of MD5. 1Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 305

33 MD5 Hash “[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”1 1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

34 MD5 Hash 128-bit number representing a “fingerprint” of a file
Odds of two different files having the same MD5 Hash are 1 in 2128 MD5 issues??? Collisions – Two different files generating the same hash SHA Collisions

35 Hash Try It… http://www.sha1-online.com/
Hash Converter:

36 Admissibility of Evidence
The whole point of all of this is to make sure that the evidence is admissible. Which means it is… Relevant Substantiates an issue that is in question in the case Competent Reliable and credible Obtained legally

37 5 Mistakes of Computer Evidence
Turn on the Computer (don’t do it!) Get Help from the Computer Owner Don’t Check for Computer Viruses Don't Take Any Precautions In The Transport of Computer Evidence Run Windows To View Graphic Files and To Examine Files 1 Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson

Download ppt "Computer Forensics BACS 371"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.

F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.

Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Computer Forensics BACS 371

Computer Forensics BACS 371
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Computer Forensics BACS 371

Computer Forensics BACS 371
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:

Similar presentations

Ads by Google