Page 1
© 2009 Property of JurInnov Ltd. All Rights Reserved
Computer Forensics First Responder Training
August 28-30, 2012
Timothy M. Opsitnick, Esq.Senior Partner and General CounselJurInnov Ltd.
© 2012 Property of JurInnov Ltd. All Rights Reserved
John G. Liptak, ACE, EnCESenior ConsultantComputer Forensic and Investigation Services
Eric A. Vanderburg, MBA, CISSP Director, Information Systems and SecurityComputer Forensic and Investigation Services
Page 2
© 2012 Property of JurInnov Ltd. All Rights Reserved
Who Are We?
JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Electronic Discovery– Computer Forensics– Document and Case Management– Computer & Network Security
2
Page 3
© 2012 Property of JurInnov Ltd. All Rights Reserved
Presentation Overview
• Understanding Computing Environments
• Collecting Electronically Stored Information
• Forensic Analysis Demonstration• Types of Cases When Forensics Are
Useful
3
Page 4
© 2012 Property of JurInnov Ltd. All Rights Reserved
What is Computer Forensics?
Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.
4
Page 5
© 2009 Property of JurInnov Ltd. All Rights Reserved
Sources of “ESI”• Desktops• Laptops• CDs/DVDs• Network Attached
Storage Devices (NAS)
• Storage Area Networks (SAN)
• Servers• Databases• Backup Tapes
• E-Mail• Archives• Cell Phones/PDAs• Thumb Drives• Memory Cards• External Storage
Devices• Cameras• Printers• GPS Devices
5
© 2012 Property of JurInnov Ltd. All Rights Reserved
Page 6
© 2012 Property of JurInnov Ltd. All Rights Reserved
Why Computer Forensics?
• Reasons to use Computer Forensics– Internal Company Investigations
• Alleged criminal activity• Civil or Regulatory Preservation
– Receivership, Bankruptcy– EEO issues– Improper use of company assets
– Recovery of Accidentally or Intentionally Deleted Data• Deleted is not necessarily deleted• Recovery from Improper shutdowns
6
Page 7
© 2012 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
• Hardware– Processor– Memory (RAM)– Hard Drive– CD/DVD Drive– Motherboard– Mouse/Keyboard
• Software– Operating System– Applications
7
Page 8
© 2012 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
• How is data stored on a hard drive?
• How is data “deleted” by the operating system?
8
Page 9
© 2012 Property of JurInnov Ltd. All Rights Reserved9
Page 10
© 2012 Property of JurInnov Ltd. All Rights Reserved10
Page 11
© 2012 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”• Windows Copy
• Ghost Copy/Images
• Forensic Images
11
Page 12
© 2012 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
• Forensic Harvesting - Logical v Physical– Logical copy (Active Files)
• Data that is visible via the O.S.– Physical
• Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)
12
Page 13
© 2012 Property of JurInnov Ltd. All Rights Reserved
First Response• First Steps Taken
– Identify users/custodians, electronic devices and begin Chain of Custody
– Photograph and document full environment and condition/state of devices
– Determine next steps depending on device(s) and situation
13
Page 14
© 2012 Property of JurInnov Ltd. All Rights Reserved
Acquisition (Data Harvest)• Equipment and Tools
– Write Blockers– Camera– Forensically wiped hard drives– Screw Drivers– Anti-static bags– Power Strips and extension cords– Blank CDs and DVDs / USB Flash Drives– SD Card / Micro Card Reader– Fans for cooling drives during imaging
14
Page 15
© 2012 Property of JurInnov Ltd. All Rights Reserved
Acquisition (Data Harvest)• Software Tools
– EnCase (Guidance Software)– Forensic Tool Kit (AccessData)– Mobile Phone Examiner (AccessData)– Device Seizure (Paraben)– Raptor (Forward Discovery)– Internet Evidence Finder (Magnet
Forensics)• Hardware Tools
– Write Blockers (Tableau)– CellDEK (Logicube)
15
Page 16
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of Data Acquisitions• Image Types
– EnCase Image (.E01)– Logical EnCase Image (.L01)– DD Image (.001)– Custom Content Image (.AD1)
• ESI Locations– Hard Drives– Servers
• Email• Network Shares
– Cell Phone/PDA– External Media
16
Page 17
© 2012 Property of JurInnov Ltd. All Rights Reserved
Computer Imaging• Photograph, document and begin Chain of
Custody• Acquire live RAM (if possible/necessary)• Shut down computer
– Pull plug (Windows/Mac)– Properly shut down (Server/Linux/Unix)
• Determine imaging method and format– Write Blocker– Boot Disk
• USB / eSata / FireWire• Crossover Cable
17
Page 18
© 2012 Property of JurInnov Ltd. All Rights Reserved
Computer Imaging• Imaging Process
– Set segment size, type of image, name and compression
– Create forensic image utilizing selected method– Verify Image Hash Value
• Check BIOS clock and document date/time– Make note of any differences from actual date/time
• Re-Install hard drive if removed and verify that the computer boots to the OS
• Create “Work” drive of collected images– Connect Backup drive to a write blocker to ensure
no changes to the original data occurs
18
Page 19
© 2012 Property of JurInnov Ltd. All Rights Reserved
Device Imaging
19
Page 20
© 2012 Property of JurInnov Ltd. All Rights Reserved
Creating a “Work” drive
20
Page 21
© 2012 Property of JurInnov Ltd. All Rights Reserved
Image Verification• Presentation Suspect Images• Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512• Starting Extent: 1S0• Name: Presentation Suspect Images• Actual Date: 03/24/09 03:17:21PM• Target Date: 03/24/09 03:17:21PM• File Path: E:\Presentation image.E01• Case Number: Presentation Drive• Evidence Number: Presentation Suspect Images• Examiner Name: Stephen W. St.Pierre• Drive Type: Fixed• File Integrity: Completely Verified, 0 Errors
• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1• GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j• System Version: Windows 2003 Server• Total Size: 20,020,396,032 bytes (18.6GB)• Total Sectors: 39,102,336
21
Page 22
© 2012 Property of JurInnov Ltd. All Rights Reserved
Work Images• Creating Work copy of original Backup
Image– Evidence Mover Log:
03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01 Destination file: G:\Evidence\Presentation image.E01.
Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678
03/25/09 16:20:37 - Source file: F:\Evidence\Presentation image.E02 Destination file: G:\Evidence\Presentation image.E02.
Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842
03/25/09 16:20:59 - Source file: F:\Evidence\Presentation image.E03 Destination file: G:\Evidence\Presentation image.E03.
Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917
22
Page 23
© 2012 Property of JurInnov Ltd. All Rights Reserved
USB Thumb Drive Acquisition• Photograph, document and begin Chain of
Custody• Determine imaging method and format
– Hardware write blocker– Software Registry Write Block
• Imaging Process– Create forensic image utilizing selected method– Verify image(s) hash value
23
Page 24
© 2012 Property of JurInnov Ltd. All Rights Reserved
Network Data Collection• Photograph and document• Coordinate with IT to determine location of
desired shares/folders• Obtain proper credentials to access target data• Attach forensically wiped hard drive to server or
workstation with local network access• Run FTK Imager Lite from attached hard drive• Create Custom Content Image (.AD1) of target
shares/folders• Verify image MD5 hash value
24
Page 25
© 2012 Property of JurInnov Ltd. All Rights Reserved
Network Data AD1 Image
25
Add Contents of a Folder
Add To Custom Content Image (AD1)
Page 26
© 2012 Property of JurInnov Ltd. All Rights Reserved
Network Data AD1 Image
26
Create Custom Content Image
Verify Hash Value of AD1
Page 27
© 2012 Property of JurInnov Ltd. All Rights Reserved
Microsoft Exchange Collection• Photograph and document• Stop Microsoft Exchange services• Attach forensically wiped hard drive to Exchange
server• Run FTK Imager Lite from attached hard drive• Create Custom Content Image (.AD1) of Exchange
.EDB files• Verify image MD5 hash values• Restart all Microsoft Exchange services
27
Page 28
© 2012 Property of JurInnov Ltd. All Rights Reserved
Microsoft Exchange Cont.• Select Mailbox Collection
– Exchange 2003• ExMerge
– Exchange 2007 & 2010• Command Line/Power Shell
28
Page 29
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry Overview• Windows Registry – central database of the
configuration data for the OS and applications.• Gold Mine of forensic evidence• Registry Keys
– Software– System– SAM (Security Account Manager)– NTUSER.dat
29
Page 30
© 2012 Property of JurInnov Ltd. All Rights Reserved
Software Key
• What Operating System Installed?• Date/Time OS Installed• Product ID For Installed OS• Installed software• Programs That Run Automatically at Startup
(Place to Hide Virus)• User Profiles
30
Page 31
© 2012 Property of JurInnov Ltd. All Rights Reserved
System Key
• Mounted Devices• Computer Name• USB Plugged-In Devices (USBSTOR)• Last System SHUT DOWN Time• Time Zone
31
Page 32
© 2012 Property of JurInnov Ltd. All Rights Reserved
SAM & NTUSER.DAT Keys• SAM
– Domain Accounts
• NTUSER.DAT– Network Assigned Drive Letters– Last Clean Shutdown Date/Time– Recent Documents– Program settings
32
Page 33
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis• Registry Analysis
– OS Install date/time– Installed Software– Startup programs– Time Zone settings– Last Shutdown time– User information / Accounts– Recently opened files– Connected USB Devices– Mounted Drives– Recently used programs
33
Page 34
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – OS Install Date
34
Page 35
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Installed Software
35
Page 36
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Startup Programs
36
Page 37
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Time Zone Settings
37
Page 38
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Last Shutdown Time
38
Page 39
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – User Info/Accounts
39
Page 40
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – User Info/Accounts
40
Page 41
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Recently Opened
41
Page 42
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – USB Devices
42
Page 43
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Mounted Drives
43
Page 44
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry – Recent Programs
44
Page 45
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis• USB / External HDD Analysis
– Serial Number– Volume Serial Number– Model– First Connected– Last Connected– Friendly Name– User who connected drive– .LNK Files
45
Page 46
© 2012 Property of JurInnov Ltd. All Rights Reserved
USB/External HDD Analysis
46
Page 47
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis• Internet History
– Default internet browser– Sites visited and frequency– Date and time of last visit
• Recent Folder– Recently accessed files/programs
• My Documents / User Folder(s)– Usually where most user created data is located
47
Page 48
© 2012 Property of JurInnov Ltd. All Rights Reserved
Internet History Analysis
48
Page 49
© 2012 Property of JurInnov Ltd. All Rights Reserved
Internet History Analysis
49
Page 50
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis• Deletion
– Recycle Bin• Examine INFO2 records if file was sent to the recycle
bin– Contains the date & time the file was sent to the
recycle bin– Shows where the file resided before being sent to the
recycle bin
– Data Carving– Evidence of wiping or wiping software
• Hex Editor sometimes helps to see wiping pattern if one exists
– Example recovery of deleted document…..
50
Page 51
© 2012 Property of JurInnov Ltd. All Rights Reserved
“deleted.txt” exists on a disk
51
Page 52
© 2012 Property of JurInnov Ltd. All Rights Reserved
The file has been deleted
52
Page 53
© 2012 Property of JurInnov Ltd. All Rights Reserved
The directory listing…
53
Note the sigma character
Page 54
© 2009 Property of JurInnov Ltd. All Rights Reserved
Is the data really gone???
54
Page 55
© 2009 Property of JurInnov Ltd. All Rights Reserved
Sigma changed to Underscore
55
Page 56
© 2012 Property of JurInnov Ltd. All Rights Reserved
Hey … it’s back!
56
Page 57
© 2012 Property of JurInnov Ltd. All Rights Reserved
VOILA…
57
Page 58
© 2009 Property of JurInnov Ltd. All Rights Reserved© 2012 Property of JurInnov Ltd. All Rights Reserved
Deleted & Overwritten File
Page 59
© 2009 Property of JurInnov Ltd. All Rights Reserved
Recycle Bin Info Record Finder
• These files were recovered by searching for recycle bin header signatures in unallocated and slack space. These records represent files that were contained in the recycle bin before it was emptied.
• Info records for file:• Demo case\Revised demo images\C\RECYCLER\S-1-5-21-1229272821-1592454029-839522115-
1003\INFO2
• Index : 2• Deleted : 11/06/07 03:30:54PM• FileSize : 20480 bytes (20 KB)• FilePath : C:\Documents and Settings\Demo\My Documents\ABC Sports Agency - Deleted\Rec• ycle Bin - ABC Balance Sheet.xls• Offset : 820
• Index : 2• Deleted : 11/06/07 10:30:54AM• FileSize : 20480 bytes (20 KB)• FilePath : C:\Documents and Settings\Demo\My Documents\ABC Sports Agency - Deleted\Rec• ycle Bin - ABC Balance Sheet.xls• Offset : 1080
Page 60
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis• File Signature Analysis• File Hash Analysis
• Analysis Examples …
60
Page 61
© 2009 Property of JurInnov Ltd. All Rights Reserved© 2012 Property of JurInnov Ltd. All Rights Reserved
Signature Analysis
Page 62
© 2009 Property of JurInnov Ltd. All Rights Reserved© 2012 Property of JurInnov Ltd. All Rights Reserved
Signature Analysis
Page 63
© 2009 Property of JurInnov Ltd. All Rights Reserved© 2012 Property of JurInnov Ltd. All Rights Reserved
Signature Analysis
Page 64
© 2009 Property of JurInnov Ltd. All Rights Reserved© 2012 Property of JurInnov Ltd. All Rights Reserved
Hash Analysis
Page 65
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Key Term Searching– Index full contents of the image for searching– Tips for this method
• File Filtering– Date ranges– File type(s)– Duplicates– Known Files (KFF)– Even combinations of multiple filters
65
Page 66
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Email Activity
• Printing Activity– Look for printing spool/shadow files
• Can possibly contain the data that was sent to a printer
• Network Activity• Network connections• Wireless access points• Shared network folders/files
66
Page 67
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Hiberfil.sys Analysis– Data is written to “hiberfil.sys” file when a machine
is put in hibernation mode on the Windows OS• Usually recent data
– May contain passwords, login information, temporary data, whole or partial documents
• RAM Analysis– Can only be acquired on a live system
• Analyst will change data on the system– May contain passwords, login information,
temporary data, whole or partial documents, currently running processes
67
Page 68
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Unallocated Space– Partial documents– Overwritten files
• Drive Free Space
• File Slack
68
Page 69
© 2012 Property of JurInnov Ltd. All Rights Reserved
Mobile Device Acquisition• Photograph, document and begin Chain of
Custody• Obtain password if enabled• Obtain charger and maintain power to the device• Cut off network communications
– Faraday bag or Airplane Mode• Determine acquisition/data extraction method
– Device• CellDek• Device Seizure• MPE+
– SIM Card – CellDek, Device Seizure or MPE+– Media/SD Card - EnCase
69
Page 70
© 2012 Property of JurInnov Ltd. All Rights Reserved
Mobile Device Analysis
• Not to be considered an “Image”– Extraction of artifacts from device’s databases
• Some Items That Can Be Acquired– SMS/MMS– Email– Contacts– Calendar
• Searching– Able to search within the device’s extracted data
for key terms. – Bookmark items that are relevant to the case
70
Page 71
© 2012 Property of JurInnov Ltd. All Rights Reserved
Mobile Device Analysis
• Reporting– Tools include report generators
• HTML• CSV / XLS• PDF
– Include ALL items or only Bookmarked items• Helps to limit amount of irrelevant data in the reports
71
Page 72
© 2012 Property of JurInnov Ltd. All Rights Reserved
Evidence/Analysis Reporting• Native File Exports
– Provide files in native format on CD, DVD or External HDD
– Allows client to view the files as the custodian did– Keeps metadata intact
• Metadata Report– Excel spreadsheet containing all the metadata of
the native file export– Easy way to look through and sort the files in one
place
72
Page 73
© 2012 Property of JurInnov Ltd. All Rights Reserved
Evidence/Analysis Reporting• Detailed Forensic Report
– Report done throughout and after every case– Details all work done by forensic analysts from
beginning to end• HTML Based Reports
– FTK, Device Seizure, CellDEK, Internet Evidence Finder
– Simple report in web format for easy viewing• Final Expert Report
– Completed & signed version of the detailed forensic report
• Expert Testimony– Analysts will provide expert testimony in court if
required. 73
Page 74
© 2012 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100• Web: www.jurinnov.com• Email: [email protected]
[email protected] @jurinnov.com
JurInnov Ltd.The Idea Center
1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115
74