RMSec Consulting Computer Forensics Neil Greenberg
Dec 05, 2014
RMSec Consulting
Computer Forensics
Neil Greenberg
RMSec Consulting
Page 2
Forensics
Specializing in or having to do with the application of scientific
knowledge to legal matters, as in the investigation of a crime.
RMSec Consulting
Page 3
Computer Forensics
Computer forensics is the process of collecting, preserving, and analyzing computers and computer media for
the purpose of determining the presence of evidence.
RMSec Consulting
Page 4
Evidence
Anything properly admissible in a Court, that will aid the function of a
criminal / civil proceeding in establishing guilt or innocence.
RMSec Consulting
Page 5
How Used• Computer forensics is used to discover
evidence in a number of computer crimes, including espionage, industrial espionage, trade secret theft and theft or destruction of intellectual property.
• It is also used to discover computer misuse by employees who are browsing inappropriate web sites or committing theft against the company.
RMSec Consulting
Page 6
Who Uses • Criminal prosecutors – incriminating
documents of homicide, fraud, child pornography and drug related activities
• Civil Litigators – uses personal and business records from computer records in divorce, fraud, intellectual property, discrimination and harassment casesFocus of practiceFocus of practice
RMSec Consulting
Page 7
Who Uses • Insurance companies use computer
records of billing and services to prove fraud in medical billing and accident cases.
• Individuals may use examiners to assist in proving cases of wrongful termination, sexual harassment or discrimination.
RMSec Consulting
Page 8
Procedures • Protect the subject computer system
from damage, alteration, data corruption and virus introduction
• Discover all file on the subject system including deleted, hidden and password protected files
• Recover as much data as possible from deleted or obstructed data files
RMSec Consulting
Page 9
Procedures• Access the contents of encrypted or
password protected files as possible• Analyze all possible relevant data which
may be discoverable but otherwise inaccessible such as slack space and unallocated space
RMSec Consulting
Special Considerations
RMSec Consulting
Page 11
Computer Evidence Vs. Other
• Connectivity of computers creates unusual issues: networks, file servers. Location of information becomes an issue
• Technical issues are unique: encryption, hidden data
• Often searching for intangibles, information in electronic form
RMSec Consulting
Page 12
Science Vs. Art• A little of both• No two cases are the same• Start with plan A be prepared for plan Z
RMSec Consulting
The Process
An Overview
RMSec Consulting
Page 14
Protecting the Evidence• Safeguarding the evidence is as
important as any other step in the forensic process
• Improperly handled evidence can be discarded in court
• Those involved must be prepared to testify to how the evidence was handled
RMSec Consulting
Page 15
Collecting the Evidence• Separate the subject from the evidence• Take only what you have to• Search for other useful information• Create a record to the material
collected which will show a chain of custody
RMSec Consulting
Page 16
Data Replication• Vital to prevent accidental writes to
original evidence• Use forensically clean media for copies• Use software capable of making an
exact image of the original and restoring an exact image
RMSec Consulting
Page 17
Replication Process• Media from suspect system is removed
and loaded into an examination system• If not removed from original, use
trusted media to boot system• If replication software is not available or
unusable, create a level 0 backup using standard system software and collect last set of backups
RMSec Consulting
Page 18
Exam System Replica• Replica media is forensically cleaned• Copy of original copy is made • Original copy of media is returned to
control• Exam of copy is conducted
RMSec Consulting
Page 19
Exam System Replica Alternate
• Instead of copy, image files are made approximately 600mb in size
• Images are written to CD-R’s• The images are used to restore a copy
of the original to forensically clean media
RMSec Consulting
Page 20
Performing an Examination• Be aware of the subjects capabilities • Determine the scope for the
examination• Document everything that is done
during the exam• Use only legal copies of software to
perform the examination
RMSec Consulting
Page 21
Basic Processing• Verify that the system contains no
viruses• Survey the contents of the system by
producing a complete listing of the files on the media
• Exam files for content• Look for erased • Look for hidden files• Where data hides
RMSec Consulting
Page 22
Verify Virus Free• Viruses can infect the examination
system resulting in lost time• May cascade to later exams if not check• Keep virus software up to date • Scan system often
RMSec Consulting
Page 23
Survey the Contents• Gain a general understanding of the
contents of the media• Pipe verbose dir or ls to a file to produce
a listing of the files on the media if a question arrives later if a file or program was present on the media
• Help to quickly focus the search for evidence
RMSec Consulting
Page 24
Examining File Content• In most cases, relevant files are
identified during the survey phase• File viewer software such as quick view
plus will quickly view contents of files without the need to load applications
• Relevant files are copied off for reference
• Care must be taken if executing application software, typically done last
RMSec Consulting
Page 25
Erased Files• Often found using unerase utilities• Disk editors will show erased files, more
difficult to examine
RMSec Consulting
Page 26
Hidden Files• Can be identified using utilities• Verbose directory listing may show• Review of TOC of media using a disk
editor will show• Because a file is hidden, doesn’t mean
its suspicious
RMSec Consulting
Page 27
Where Data Hides• Slack space• Unallocated space• Temporary directories• Cache directories• Use a search utilities that is not
bounded by files to search keyword to quickly locate data not in a file
• Data not in a file can be recovered using a disk editor
RMSec Consulting
Page 28
Reporting• Include detailed notes of things done
during the examination• Include recovered files• May require additional note explaining
processes that were not detailed during the recovery notes
RMSec Consulting
Forensic Analysis
Intellectual Property
RMSec Consulting
Page 30
The Challenge• Maintaining control of the organizations
trade secrets or intellectual property can be difficult given the current push toward global outsourcing of information management.
• How can an organization understand who is sharing information with whom?
RMSec Consulting
Page 31
Intellectual Property• Every organization has certain information that
is crucial to the viability of the organization• Manufacturing diagrams• Patient Information• Financial client data• Source code• Media files• Business methodologies• Salary information
• The loss of the right piece of information can quickly put an organization out of business and lead to a lengthy legal processes
RMSec Consulting
Page 32
Where is it Located?• Difficult to answer since many organizations
are sending data processing and other capabilities overseas• Claims processing• Tech support• Software development• Design and manufacturing
• Greater risk of information leakage if sensitive data is placed overseas
RMSec Consulting
Page 33
Corporate Espionage• Black market for competitive information
• Internal personnel can be bought• Hackers as “hired guns”
• Effective security processes• Classification of data• Need to know validation
• Communications to sensitive data stores can also be monitored