Documente Academic
Documente Profesional
Documente Cultură
2
Determining What Data to Collect and
Analyze
• Examining and analyzing digital evidence depends
on:
– Nature of the case
– Amount of data to process
– Search warrants and court orders
– Company policies
• Scope creep
– Investigation expands beyond the original description
• Right of full discovery of digital evidence
3
Approaching Computer Forensics
Cases
4
Approaching Computer Forensics
Cases (continued)
5
Approaching Computer Forensics
Cases (continued)
6
Approaching Computer Forensics
Cases (continued)
7
Refining and Modifying the
Investigation Plan
• Considerations
– Determine the scope of the investigation
– Determine what the case requires
– Whether you should collect all information
– What to do in case of scope creep
• The key is to start with a plan but remain flexible in
the face of new evidence
8
Using AccessData Forensic Toolkit to
Analyze Data
9
FTK has two options for searching
• 1 Indexed search
• 2 Live Search
Search in text hidden in allocated space
Search for alphanumeric and hexadecimal values
(such as phone, credit card, social security numbers)
10
11
12
13
Validating Forensic Data
• One of the most critical aspects of computer
forensics
• Ensuring the integrity of data you collect is essential
for presenting evidence in court
• Most computer forensic tools provide automated
hashing of image files
• Computer forensics tools have some limitations in
performing hashing
– Learning how to use advanced hexadecimal editors is
necessary to ensure data integrity
14
Validating with Hexadecimal Editors
15
Validating with Hexadecimal Editors
(continued)
16
Validating with Computer Forensics
Programs
17
Validating with Computer Forensics
Programs (continued)
18
Validating with Computer Forensics
Programs (continued)
19
Addressing Data-hiding Techniques
• File manipulation
– Filenames and extensions
– Hidden property
• Disk manipulation
– Hidden partitions
– Bad clusters
• Encryption
– Bit shifting
– Steganography
20
Hiding Partitions
21
Hiding Partitions (continued)
22
Hiding Partitions (continued)
23
Marking Bad Clusters
24
Bit-shifting
• Old technique
• Shift bit patterns to alter byte values of data
• Make files look like binary executable code
• Tool
– Hex Workshop
25
Bit-shifting (continued)
26
Bit-shifting (continued)
27
Bit-shifting (continued)
28
Using Steganography to Hide Data
29
Examining Encrypted Files
• Prevent unauthorized access
– Employ a password or passphrase
• Recovering data is difficult without password
– Key escrow
• Designed to recover encrypted data if users forget
their passphrases or if the user key is corrupted after
a system failure
– Cracking password
• Expert and powerful computers
– Persuade suspect to reveal password
30
Recovering Passwords
• Techniques
– Dictionary attack
– Brute-force attack
– Password guessing based on suspect’s profile
• Tools
– AccessData PRTK
– Advanced Password Recovery Software Toolkit
– John the Ripper
31
Recovering Passwords (continued)
32
Recovering Passwords (continued)
33
Recovering Passwords (continued)
34
Recovering Passwords (continued)
35
Recovering Passwords (continued)
36
37
Recovering Passwords (continued)
38
Performing Remote Acquisitions
39
Remote Acquisitions with Runtime
Software
42
Summary
43
Summary (continued)
44
Chapter 14: Computer and
Network Forensics
Guide to Computer Network Security
Computer Forensics
Kizza - Guide46
• History Of Computer Forensics
– Computer forensics started a few years ago- when it
was simple to collect evidence from a computer.
– While basic forensic methodologies remain the same,
technology itself is rapidly changing – a challenge to
forensic specialists.
Kizza - Guide47
• Basic forensic methodology consists of:
– Acquire the evidence without altering or damaging the
original
• Look for evidence
• Recover evidence
• Handle evidence with care
• Preserve evidence
– Authenticate that your recovered evidence is the
same as the originally seized data
– Analyze the data without modifying it.
Kizza - Guide48
Acquire the Evidence
• Keep in mind that every case is different
• Do not disconnect the computers – evidence may be only in RAM – So
collect information from a live system.
• Consider the following issues:
– Handling the evidence- if you do not take care of the evidence, the rest
of the investigation will be compromised.
– Chain of custody – the goal of maintaining a good chain of custody to
ensure evidence integrity, prevent tempering with evidence. The chain
should be answers to:
• Who collected it
• How and where
• Who took possession of it
• how was it stored and protected in storage
• Who took it out of storage and why?
Kizza - Guide49
Storage Media
• Hard Drives
– Make an image copy and then restore the image to a
freshly wiped hard drive for analysis
– Remount the copy and start to analyze it.
– Before opening it get information on its configuration
– Use tools to generate a report of lists of the disk’s
contents ( PartitionMagic)
– View operating system logs.
Kizza - Guide50
Handle Evidence With Care
– Collection
• You want the evidence to be so pure that it supports your case.
– Identification
• Methodically identify every single item that comes out of the
suspect’s/victim’s location and labeled.
– Transportation
• Evidence is not supposed to be moved so when you move it be
extremely careful.
– Storage
• Keep the evidence in a cool, dry, and appropriate place for
electronic evidence.
– Documenting the investigation
• Most difficult for computer professionals because technical people
are not good at writing down details of the procedures.
Kizza - Guide51
Authenticating evidence
Kizza - Guide52
Analysis
Kizza - Guide53
Data Hiding
• There are several techniques that intruders may
hide data.
– Obfuscating data through encryption and
compression.
– Hiding through codes, steganoraphy, deleted files,
slack space, and bad sectors.
– Blinding investigators through changing behavior of
system commands and modifying operating systems.
• Use commonly known tools to overcome
Kizza - Guide54
Network Forensics
• Unlike computer forensics that retrieves information from the computer’s
disks, network forensics, in addition retrieves information on which network
ports were used to access the network.
• There are several differences that separate the two including the following:
– Unlike computer forensics where the investigator and the person being
investigated, in many cases the criminal, are on two different levels with the
investigator supposedly on a higher level of knowledge of the system, the
network investigator and the adversary are at the same skills level.
– In many cases, the investigator and the adversary use the same tools: one to
cause the incident, the other to investigate the incident. In fact many of the
network security tools on the market today, including NetScanTools Pro,
Tracroute, and Port Probe used to gain information on the network
configurations, can be used by both the investigator and the criminal.
– While computer forensics, deals with the extraction, preservation, identification,
documentation, and analysis, and it still follows well-defined procedures
springing from law enforcement for acquiring, providing chain-of-custody,
authenticating, and interpretation, network forensics on the other hand has
nothing to investigate unless steps were in place ( like packet filters, firewalls,
and intrusion detection systems) prior to the incident.
Kizza - Guide55
Network Forensics Intrusion
Analysis
• Network intrusions can be difficult to detect let alone
analyze. A port scan can take place without a quick
detection, and more seriously a stealthy attack to a
crucial system resource may be hidden by a simple
innocent port scan.
• So the purpose of intrusion analysis is to seek answers
to the following questions:
– Who gained entry?
– Where did they go? 56
– How did they do it?
Kizza - Guide
Damage Analysis
Kizza - Guide57
• To achieve a detailed report of an intrusion
detection, the investigator must carry out a post
mortem of the system by analyzing and
examining the following:
– System registry, memory, and caches. To achieve
this, the investogator can use dd for Linux and Unx
sytems.
– Network state to access computer networks
accesses and connections. Here Netstat can be used.
– Current running processes to access the number of
active processes. Use ps for both Unix and Linux.
– Data acquisition of all unencrypted data. This can be
done using MD5 and SHA-1 on all files and
directories. Then store this data in a secure place.
Kizza - Guide58
Forensic Electronic Toolkit
• Computer and network forensics involves and requires:
– Identification
– Extraction
– Preservation
– Documentation
• A lot of tools are needed for a thorough work
• The “forensically sound “ method is never to conduct any
examination on the original media.
• Before you use any forensic software, make sure you know how to
use it, and also that it works.
• Tools:
– Hard Drive - use partitioning and viewing ( Partinfo and PartitionMagic)
– File Viewers – to thumb through stacks of data and images looking for
incriminating or relevant evidence (Qiuckview Plus, Conversion Plus,
DataViz, ThumnsPlus)
Kizza - Guide59
More tools (cont.)
• Unerase – if the files are no longer in the recycle bin or you are dealing with
old systems without recycle bins.
• CD-R/W – examine them as carefully as possible. Use CD-R Diagnostics
• Text – because text data can be huge, use fast scans tools like dtSearch.
• Other kits:
– Forensic toolkit – command-line utilities used to reconstruct access
activities in NT File systems
– Coroner toolkit - to investigate a hacked Unix host.
– ForensiX – an all-purpose set of data collection and analysis tools that
run primarily on Linux.
– New Technologies Incorporated (NTI)
– EnCase
– Hardware- Forensic-computers.com
Kizza - Guide60
Guide to Computer Forensics
and Investigations
Fourth Edition
Chapter 5
Processing Crime and Incident
Scenes
Objectives
• Digital evidence
– Can be any information stored or transmitted in
digital form
• U.S. courts accept digital evidence as physical
evidence
– Digital data is a tangible object
• Some require that all digital evidence be printed out
to be presented in court
Identifying Digital Evidence
(continued)
• Business-record exception
– Allows “records of regularly conducted activity,” such
as business memos, reports, records, or data
compilations
• Generally, computer records are considered
admissible if they qualify as a business record
• Computer records are usually divided into:
– Computer-generated records
– Computer-stored records
Understanding Rules of Evidence
(continued)
• Innocent information
– Unrelated information
– Often included with the evidence you’re trying to
recover
• Judges often issue a limiting phrase to the
warrant
– Allows the police to separate innocent information
from evidence
Understanding Concepts and Terms
Used in Warrants (continued)
• Guidelines (continued)
– Bag and tag the evidence, following these steps:
• Assign one person to collect and log all evidence
• Tag all evidence you collect with the current date and
time, serial numbers or unique features, make and
model, and the name of the person who collected it
• Maintain two separate logs of collected evidence
• Maintain constant control of the collected evidence
and the crime or incident scene
Processing an Incident or Crime
Scene (continued)
• Guidelines (continued)
– Look for information related to the investigation
• Passwords, passphrases, PINs, bank accounts
• Look at papers, in drawers, in trash cans
– Collect documentation and media related to the
investigation
• Hardware, software, backup media, documentation,
manuals
Processing Data Centers with RAID
Systems
• Sparse acquisition
– Technique for extracting evidence from large
systems
– Extracts only data related to evidence for your case
from allocated files
• And minimizes how much data you need to analyze
• Drawback of this technique
– It doesn’t recover data in free or slack space
Using a Technical Advisor
• Technical advisor
– Can help you list the tools you need to process the
incident or crime scene
– Person guiding you about where to locate data and
helping you extract log records
• Or other evidence from large RAID servers
– Can help create the search warrant by itemizing
what you need for the warrant
Technical Advisor Responsibilities
• Spector
• WinWhatWhere
• EnCase Enterprise Edition
Sample Criminal Investigation