1. 8/23/06 | Slide 1 Scott L. Ksander Computer Forensics in the Campus Environment Scott L. Ksander ksander@purdue.edu

2. 8/23/06 | Slide 2 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

3. 8/23/06 | Slide 3 Scott L. Ksander Some Background The Dean of Students at Purdue University estimates that 25% of all disciplinary cases involve some sort of computer evidence The Director of the FBI now expects 50% of all cases handled by the FBI to involve at least one computer forensic examination Local law enforcement agencies and prosecutors expect 20-40% of all cases will require information forensics

4. 8/23/06 | Slide 4 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

5. 8/23/06 | Slide 5 Scott L. Ksander Incident Response Methodology (PDCAERF) PreparationDetectionContainmentAnalysisEradicationRecoveryFollow-up Feed Back Digital Forensics/Evidence Management

6. 8/23/06 | Slide 6 Scott L. Ksander

7. 8/23/06 | Slide 7 Scott L. Ksander Context of Computer Forensics Homeland Security Information Security Corporate Espionage White Collar Crime Child Pornography Traditional Crime Incident Response Employee Monitoring Privacy Issues ???? Digital Forensics Computer Forensics

8. 8/23/06 | Slide 8 Scott L. Ksander History & Development Francis Galton (1822-1911) –First definitive study of fingerprints Sir Arthur Conan Doyle (1887) –Sherlock Holmes mysteries Leone Lattes (1887-1954) –Discovered blood groupings (A,B,AB, & 0) Calvin Goddard (1891-1955) –Firearms and bullet comparison Albert Osborn (1858-1946) –Developed principles of document examination Hans Gross (1847-1915) –First treatise on using scientific disciplines in criminal investigations.

9. 8/23/06 | Slide 9 Scott L. Ksander Communities There at least 3 distinct communities within Digital Forensics –Law Enforcement –Military –Business & Industry Possibly a 4 th – Academia

10. 8/23/06 | Slide 10 Scott L. Ksander The Process The primary activities of DFS are investigative in nature. The investigative process encompasses –Identification –Preservation –Collection –Examination –Analysis –Presentation –Decision

11. 8/23/06 | Slide 11 Scott L. Ksander Computer Forensic Activities Computer forensics activities commonly include: –the secure collection of computer data –the identification of suspect data –the examination of suspect data to determine details such as origin and content –the presentation of computer-based information –the application of a country's laws to computer practice.

12. 8/23/06 | Slide 12 Scott L. Ksander The 3 As The basic methodology consists of the 3 As: –Acquire the evidence without altering or damaging the original –Authenticate the image –Analyze the data without modifying it

13. 8/23/06 | Slide 13 Scott L. Ksander “The Computer” Computer as Target of the incident –Get to instructor’s test preparation –Access someone else’s homework –Access/Change a grade –Access financial information –“Denial of Service” Computer as Tool of the incident –Word processing used to create plagiarized work –E-mail sent as threat or harassment –Printing used to create counterfeit material Computer as Incidental to the incident –E-mail/file access used to establish date/timelines –Stored names and addresses of contacts or others potentially involved in the incident

14. 8/23/06 | Slide 14 Scott L. Ksander General Types of Digital Forensics “Network” Analysis –Communication analysis –Log analysis –Path tracing Media Analysis –Disk imaging –MAC time analysis (Modify, Access, Create) –Content analysis –Slack space analysis –Steganography Code Analysis –Reverse engineering –Malicious code review –Exploit Review The “puzzle” is a combination of all the above pieces

15. 8/23/06 | Slide 15 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

16. 8/23/06 | Slide 16 Scott L. Ksander Principle of Exchange “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” (Edmund Locard, 1910)

17. 8/23/06 | Slide 17 Scott L. Ksander Forensic Principles 1.When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2.Upon seizing digital evidence, actions taken should not change that evidence. 3.When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4.All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. 5.An Individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. 6.Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

18. 8/23/06 | Slide 18 Scott L. Ksander General Evidence Dos & Don’ts 1. Minimize Handling/Corruption of Original Data 2. Account for Any Changes and Keep Detailed Logs of Your Actions 3. Comply with the Five Rules of Evidence 4. Do Not Exceed Your Knowledge 5. Follow Your Local Security Policy and Obtain Written Permission 6. Capture as Accurate an Image of the System as Possible 7. Be Prepared to Testify 8. Ensure Your Actions are Repeatable 9. Work Fast 10. Proceed From Volatile to Persistent Evidence 11. Don't Run Any Programs on the Affected System 12. Document Document Document!!!! Source: AusCERT 2003 (www.auscert.org)

19. 8/23/06 | Slide 19 Scott L. Ksander 5 Rules of Evidence Admissible Must be able to be used in court or elsewhere Authentic Evidence relates to incident in relevant way Complete (no tunnel vision) Exculpatory evidence for alternative suspects Reliable No question about authenticity & veracity Believable Clear, easy to understand, and believable by a jury

20. 8/23/06 | Slide 20 Scott L. Ksander Evidence Life Cycle Collection & identification Storage, preservation, and transportation Presentation Return to production, owner, or court

21. 8/23/06 | Slide 21 Scott L. Ksander Chain of Custody Protects integrity of the evidence Effective process of documenting the complete journey of the evidence during the life of the case Allows you to answer the following questions: –Who collected it? –How & where? –Who took possession of it? –How was it stored & protected in storage? –Who took it out of storage & why?

22. 8/23/06 | Slide 22 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

23. 8/23/06 | Slide 23 Scott L. Ksander Forensic Mindset Digital Forensic Mindset – Condensed Definition: –Using your skills to determine what has occurred or, –What most likely occurred as opposed to what is possible –You do NOT work for anyone but the TRUTH!

24. 8/23/06 | Slide 24 Scott L. Ksander Forensic Mindset The tools used are not nearly as important as the person using them! The examination should not occur in a vacuum. Find out all you can about what is already known.

25. 8/23/06 | Slide 25 Scott L. Ksander Organizing the Investigation Use your knowledge to examine the system to answer; could it have happened that way or not? Don’t make it more complicated than it has to be – start with the obvious! Examples: –Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, EFS, etc.)

26. 8/23/06 | Slide 26 Scott L. Ksander Organizing the Investigation MAC information – what was happening on the system during the time frame you are interested in? What was being “written”, “changed” or “accessed”?

27. 8/23/06 | Slide 27 Scott L. Ksander Why use images In keeping with the second IOCE principle, care must be taken not to change the evidence. Most media are “magnetic based” and the data is volatile: –Registers & Cache –Process tables, ARP Cache, Kernel stats –Contents of system memory –Temporary File systems –Data on the disk Examining a live file system changes the state of the evidence (MAC times) The computer/media is the “crime scene” Protecting the crime scene is paramount as once evidence is contaminated it cannot be decontaminated. Really only one chance to do it right!

28. 8/23/06 | Slide 28 Scott L. Ksander A file copy does not recover all data areas of the device for examination Working from a duplicate image –Preserves the original evidence –Prevents inadvertent alteration of original evidence during examination –Allows recreation of the duplicate image if necessary Why Create a Duplicate Image?

29. 8/23/06 | Slide 29 Scott L. Ksander Why Create a Duplicate Image? Digital evidence can be duplicated with no degradation from copy to copy –This is not the case with most other forms of evidence

30. 8/23/06 | Slide 30 Scott L. Ksander Bitstream vs. Backups Are backups sufficient? –Ideally NO! –Practically it may be the only method available Most O/Ses only pay attention to the live filesystem structure –Slack, residue, deleted, etc. are not indexed Backups generally do not capture this data and they also modify the timestamps of data, contaminating the timeline.

31. 8/23/06 | Slide 31 Scott L. Ksander Bitstream vs. Backups Forensic Copies (Bitstream) –Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.) Often the “smoking gun” is found in the residual data. Logical vs. physical image

32. 8/23/06 | Slide 32 Scott L. Ksander Disk Imaging Tools Requirements The tool shall make a bit-stream duplicate or an image of an original disk or partition. The tool shall not alter the original disk. The tool shall be able to verify the integrity of a disk image file. The tool shall log I/O errors. The tool’s documentation shall be correct.

33. 8/23/06 | Slide 33 Scott L. Ksander MAC Times Time attributes (Modified, Accessed, Changed). Allow an investigator to develop a time line or Chronology of the incident The time line is vital when examining logs, & event files Improperly accessing or searching a system can alter the time lines destroying evidence or erasing trails.

34. 8/23/06 | Slide 34 Scott L. Ksander Drive Imaging Tools SafeBack (www.forensics-intl.com)www.forensics-intl.com Ghost (www.symantec.com)www.symantec.com –Newest version of Ghost has a forensic “switch” now DD (standard unix/linux utility) –#dd if=device of=device bs=blocksize Encase (www.encase.com)www.encase.com Mareware FTK (www.accessdata.com)www.accessdata.com

35. 8/23/06 | Slide 35 Scott L. Ksander Drive Imaging Hardware Forensic mobile field system (MFS) –Laptop with NIC –Portable workstation

36. 8/23/06 | Slide 36 Scott L. Ksander Rules of Thumb Make 2 copies of the original media –1 copy becomes the working copy –1 copy is a library/control copy –Verify the integrity of the copies to the original The working copy is used for the analysis The library copy is stored for disclosure purposes or in the event that the working copy becomes corrupted If performing a drive to drive imaging (not an image file) use clean media to copy to! –Shrink wrapped new drives –Next best, zero another drive Verify the integrity of all images!

37. 8/23/06 | Slide 37 Scott L. Ksander Disk Write Blockers Prevent data been written to the suspect drive Ensure the integrity of the suspect drive Software Write Blockers v. Hardware

38. 8/23/06 | Slide 38 Scott L. Ksander Hardware Write Block A hardware write blocker (HWB) is a hardware device that attaches to a computer system with the primary purpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device. Physically, the device is connected between the computer and a storage device. Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.

39. 8/23/06 | Slide 39 Scott L. Ksander Forensic Boot Disk General principles: –Used to boot suspect systems safely –Contains a filesystem and statically linked utilities (e.g., ls, fdisk, ps, nc, dd, ifconfig, etc.) –Recognizes large partitions (+2 or + 8 Gb) –Places the suspect media in a locked or read-only state –Does not swap any data to the suspect media

40. 8/23/06 | Slide 40 Scott L. Ksander Forensic Boot Disk Open source bootable images: –Helix (http://www.e-fense.com/helix/)http://www.e-fense.com/helix/ –Trinux (http://trinux.sourceforge.net/)http://trinux.sourceforge.net/ –BartPE (http://www.nu2.nu/pebuilder/)http://www.nu2.nu/pebuilder/

41. 8/23/06 | Slide 41 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

42. 8/23/06 | Slide 42 Scott L. Ksander Computer People are from Mars Law Enforcement is from Venus

43. 8/23/06 | Slide 43 Scott L. Ksander Advantage of Computer People Natural curiosity “Obsessed” with detail Problem/puzzle solving in their profession/passion Intuitive thinkers Look for “creative” solutions

44. 8/23/06 | Slide 44 Scott L. Ksander Advantage of Law Enforcement Trained investigators Interviewing skills and creativity Fact-finding is their life Understanding the criminal psyche Access to additional resources Can tie things to other incidents Broad data collection reach

45. 8/23/06 | Slide 45 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

46. 8/23/06 | Slide 46 Scott L. Ksander

47. 8/23/06 | Slide 47 Scott L. Ksander

48. 8/23/06 | Slide 48 Scott L. Ksander

49. 8/23/06 | Slide 49 Scott L. Ksander

50. 8/23/06 | Slide 50 Scott L. Ksander

51. 8/23/06 | Slide 51 Scott L. Ksander

52. 8/23/06 | Slide 52 Scott L. Ksander Forensic Field kits Documentation Tools –Cable tags. –Indelible felt tip markers. –Stick-on labels. Disassembly and Removal Tools –A variety of nonmagnetic sizes and types of: –Flat-blade and Philips-type screwdrivers. –Anti-static Straps –Hex-nut drivers. –Needle-nose pliers. –Secure-bit drivers. –Small tweezers. –Specialized screwdrivers (manufacturer-specific, e.g., Compaq, –Macintosh). –Standard pliers. –Star-type nut drivers. –Wire cutters.

53. 8/23/06 | Slide 53 Scott L. Ksander Forensic Field kits Package and Transport Supplies –Antistatic bags. –Antistatic bubble wrap. –Cable ties. –Evidence bags. –Evidence tape. –Packing materials (avoid materials that can produce static such as Styrofoam or Styrofoam peanuts). –Packing tape. –Sturdy boxes of various sizes.

54. 8/23/06 | Slide 54 Scott L. Ksander Forensic Field kits Items that also should be included within a kit are: –Rubber Gloves**** –Hand truck. –Large rubber bands. –List of contact telephone numbers for assistance. –Magnifying glass. –Printer paper. –Seizure disk. –Small flashlight. –Unused removable media (CD, DVD, etc) –Blank & Zeroed Hard Drives

55. 8/23/06 | Slide 55 Scott L. Ksander

56. 8/23/06 | Slide 56 Scott L. Ksander

57. 8/23/06 | Slide 57 Scott L. Ksander

58. 8/23/06 | Slide 58 Scott L. Ksander

59. 8/23/06 | Slide 59 Scott L. Ksander

60. 8/23/06 | Slide 60 Scott L. Ksander

61. 8/23/06 | Slide 61 Scott L. Ksander

62. 8/23/06 | Slide 62 Scott L. Ksander

63. 8/23/06 | Slide 63 Scott L. Ksander

64. 8/23/06 | Slide 64 Scott L. Ksander

65. 8/23/06 | Slide 65 Scott L. Ksander

66. 8/23/06 | Slide 66 Scott L. Ksander

67. 8/23/06 | Slide 67 Scott L. Ksander

68. 8/23/06 | Slide 68 Scott L. Ksander

69. 8/23/06 | Slide 69 Scott L. Ksander

70. 8/23/06 | Slide 70 Scott L. Ksander

71. 8/23/06 | Slide 71 Scott L. Ksander Software Toolkit Directory Snoop (http://www.briggsoft.com)http://www.briggsoft.com ThumbsPlus (http://www.cerious.com)http://www.cerious.com WinHex (http://www.winhex.com)http://www.winhex.com Mount Image (http://www.mountimage.com)http://www.mountimage.com Autopsy Forensic Browser FTK

72. 8/23/06 | Slide 72 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

73. 8/23/06 | Slide 73 Scott L. Ksander Just saying “Hi” “Thought you might be interested” Notify potential victims

74. 8/23/06 | Slide 74 Scott L. Ksander 18 USC 2703(f) “Preservation letter” Preserve for 90 days ONLY retrospectively

75. 8/23/06 | Slide 75 Scott L. Ksander 18 USC 2703(f) “… without notice … nor … any disruption in service”

76. 8/23/06 | Slide 76 Scott L. Ksander Subpoena often follows “… requested not to disclose the existence of this subpoena”

77. 8/23/06 | Slide 77 Scott L. Ksander Subpoena “Provide all records, documents, logs, and subscriber information”

78. 8/23/06 | Slide 78 Scott L. Ksander Search Warrant Sometimes “Sealed”

79. 8/23/06 | Slide 79 Scott L. Ksander Operational plan for Search Warrants “No warning shots.”

80. 8/23/06 | Slide 80 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

81. 8/23/06 | Slide 81 Scott L. Ksander Challenges NIJ 2001 Study There is near-term window of opportunity for law enforcement to gain a foothold in containing electronic crimes. Most State and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime. Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.

82. 8/23/06 | Slide 82 Scott L. Ksander General Challenges Computer forensics is in its infancy Different from other forensic sciences as the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector No real basic theoretical background upon which to conduct empirical hypothesis testing No true professional designations Proper training At least 3 different “communities” with different demands Still more of a “folk art” than a true science

83. 8/23/06 | Slide 83 Scott L. Ksander Specific Challenges No International Definitions of Computer Crime No International agreements on extraditions Multitude of OS platforms and filesystems Incredibly large storage capacity –100 Gig Plus –Terabytes –SANs Small footprint storage devices –Compact flash –Memory sticks –Thumb drives –Secure digital Networked environments RAID systems Grid computing Embedded processors

84. 8/23/06 | Slide 84 Scott L. Ksander Specific Challenges Where is the “crime scene?” Perpetrator’s System Victim’s System Electronic Crime Scene Cyberspace

85. 8/23/06 | Slide 85 Scott L. Ksander General Defense Strategies Not Me Defense (aka SODDI, TODDI) Mind-Numbing Detail Defense Indict the Examiner Defense (aka Dennis Fung Defense)

86. 8/23/06 | Slide 86 Scott L. Ksander Things That Will Be Covered On The Final Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success How to start building your forensic toolkit Things to expect in the campus environment Challenges and expected defenses References

87. 8/23/06 | Slide 87 Scott L. Ksander NHTCU National Hi-Tech Crime Unit (UK) The ACPO Good Practice Guide for Computer based Electronic Evidence (2003) http://www.nhtcu.org

88. 8/23/06 | Slide 88 Scott L. Ksander DOJ - CCIPS Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.cybercrime.gov/s&smanual2002.htm

89. 8/23/06 | Slide 89 Scott L. Ksander NIJ Guide Electronic Crime Scene Investigation: A Guide for First Responders http://www.ncjrs.org/pdffiles1/nij/187736.pdf

90. 8/23/06 | Slide 90 Scott L. Ksander Questions Before Elvis Leaves The Building?