Computer Forensics - York University · from a suspect’s computer & determine whether the suspect: (a) committed a crime – in law enforcement incidents (b) violated a company

CSE 4482 Computer Security Management:

Assessment and Forensics

Instructor: N. Vlajic, Fall 2013

Computer Forensics

Required reading:

Learning Objectives Upon completion of this material, you should be able to:

• Define computer forensics.

• Explain what makes ‘digital evidence’ admissible in court.

• List the key stages of Computer Investigation Process.

Interesting story: http://www.youtube.com/watch?v=vJdME6vczeo

Introduction • Computer – involves obtaining & analyzing digital information in a way that it is admissible as evidence in court of law

like archaeologist excavating a site, forensics investigators retrieve information from a computer (hard drive) or other storage media (USB drives, DVDs, CDs, Zip drives, floppy disks, …)

data is often not easy to find or decipher!

combines elements of CS and law

Forensics

Computer Forensics ≠ Network Forensics

Computer Forensics ≠ Data Recovery

• Network – yields information about how an attacker gained access to a network and what exactly he accessed in the network

when / how / from which location the attacker logged on to the network, and which URLs and files, … he looked at / modified / left behind

Forensics

http://en.wikipedia.org/wiki/Network_forensics

Introduction (cont.)


• Data – involves recovering information from a computer / storage media that was deleted by mistake or lost during a server crash or a power surge

in data recovery, you typically know what you are looking for, and it is not (absolutely) necessary to:

ensure that no data /evidence has been damaged or altered in the process

make detailed documentation of all processes, analyzed results and conclusions

Recovery

• Role of Computer – in a safe & minimally invasive manner gather digital evidence from a suspect’s computer & determine whether the suspect:

(a) committed a crime – in law enforcement incidents

(b) violated a company policy – in private-sector incidents

if the evidence suggests that one of the above has been committed, forensics professional should start preparing the case - document the evidence so that is useable in court

Forensics Professional



• Civil or Criminal? in computer forensics, as in the law, procedures in criminal & civil cases are somewhat different

criminal cases involve (e.g.) terrorism related offences, homicides, financial fraud, etc.

law enforcement must get involved

extra care/steps should be taken when collecting data - standard of evidence is much higher than in civil cases

fortunately, with a search warrant, law enforcement officers can seize any piece of defendant’s property – makes collecting of evidence easier

guilty outcomes can result in fines, probation, imprisonment, …


• Civil or Criminal?

civil cases involve (e.g.) offences related to harassment, violation of contracts, mis- appropriation of trade secrets, etc.

any seizing of property (computer) is not likely - defendant gets more time to hide or destroy evidence

often, fewer informal pieces of evidence are enough to facilitate ‘out of court’ settlements

Although we use many of the same tools, computer forensic professionals in private practice and those in law enforcement are held to different standards,

have access to different resources, and their work results in substantially different outcomes between the criminal and civil cases to which they contribute.

http://burgessforensics.com/Civ_Criminal.php


• Law Enforcement – in cases where contacting law enforcement is optional (not mandatory), pros and cons are:

provides access to more powerful investigative tools and utilization of ‘search warrants’

sends powerful message to would- be predators

can disrupt business activity

can create bad publicity regarding organization’s info. security

creates danger of exposing internal information

Referrals – Yes or No?

Digital Evidence • Locard’s Principle – postulated by 20th century forensics scientist Edmond Locard (France)

‘every contact leaves a trace’

Anyone, or anything, entering a crime scene, both takes something of the scene with them and leaves something of themselves behind.

In Cybercrime, the perpetrator may come only in ‘virtual’ contact with the crime scene –

nevertheless, he will still leave a trace: in files, log files, registry, memory, …

• Digital – any information, stored or transmitted in digital form, that a party to a court case may use at a trial

examples:

emails

digital photographs

word processing documents

spreadsheets

internet browser histories

contents of computer memory

ATM transaction logs

GPS tracks, …

to be accepted in court, digital evidence must be: 1) admissible, 2) authentic, and 3) not a hearsay

Evidence

Digital Evidence (cont.)

Digital Evidence: Admissibility

1) Admissibility of – to be acceptable by court, digital evidence must be obtained with authorization & properly handled

investigator must obtain a search warrant, court order or consent, before collecting digital evidence – otherwise evidence may be rejected

Digital Evidence

To obtain a search warrant, investigators must demonstrate probable cause and detail the place to be searched and the persons or things to be seized. That is, investigators have to convince a judge that: 1) a crime has been committed; 2) evidence of crime is in existence; 3) the evidence is likely to exist at the places to be searched.

E. Casey, Digital Evidence and Computer Crime, 3rd edition

Digital Evidence: Authenticity

2) Authenticity – covers two important aspects:

(1) content of the record is the same as when collected

(2) the information in the record does originate from the claimed source often difficult to prove, as digital data can be easily altered before and after seizure - deliberately or accidentally may also require the proof that the system that generated digital evidence was working properly during the relevant time

(Reliability or Integrity) of Digital Evidence

Computer Investigation (cont.) Example: Case Study – Amex vs. Vinhnee (2005) In this case, American Express (Amex) claimed that Mr. Vinhnee had failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence.

Among other problems, the court said that Amex failed to provide adequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records.

The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“ http://www.proofspace.com/technology/discovery.php

Example: CD Universe Prosecution Failure

“An extortion attempt involving credit card numbers stolen from the computers of Internet retailer CD Universe occurred in January 2000.

Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December 1999. Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …

Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcement had found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. The chain of custody had not been properly established.

Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learn how Maxim got into the company’s network, FBI agents and employees from three computer security firms accessed original files instead of working from a forensic copy. …”

Computer Investigation (cont.) Example: Case Study – Amex vs. Vinhnee (2005) Steps you can take to give your digital data better chance of being admitted into evidence in a court: 1. Document your access control and backup procedures and policies and test effectiveness of your controls. 2. Have the changes to your databases and content/record management system routinely recorded and logged. 3. Protect your electronic record from post-archival tampering with modern data integrity and trusted time-stamping technologies. 4. Document the audit procedures you use to provide assurance of the continuing authenticity of the records.

http://www.proofspace.com/technology/discovery.php

Digital Evidence (cont.) Example: System and digital evidence

Consider the example of Web server logs showing unauthorized access to a server via VPN concentrator: An inexperienced digital investigator may reach a conclusion, on the basis of this log entry, that the connection to the Web server occurred at 02:38 on the morning of April 4, 2009, from a computer with IP 192.168.1.1. A more experienced digital investigator will have less confidence that this long entry is accurate and may not be willing to reach a conclusion without further investigation. Namely, a) The system clock of the server could be incorrect, resulting in

the date-time stamp in the long entry being incorrect. b) The date-time stamp could be configured with a time zone in

either Universal Standard Time (UTC) or local time.

Ideally, there would be some documentation/evidence about the system’s clock time and the zone configuration …

Digital Evidence: Authenticity (cont.)

• Chain of Custody – documentation aimed to prove that, from the time it was seized, the evidence: 1) was handled and preserved properly, and 2) was never at risk of being compromised;

must include detailed information about:

where the evidence was stored

who had access to the evidence

what was done to the evidence

e.g. when it was handed over from one person/organization to another

Digital Evidence : Authenticity (cont.)

Example: Chain-of-Custody Form

http://www.niiconsulting.com/checkmate/wp-admin/images/0206/cocfrm.jpg

• Level of Certainty – forensics investigators assign a level of certainty to conclusions that are based on dig. evidence

Digital Evidence: Authenticity (cont.)

in Digital Evidence


Digital Evidence: Hearsay

• Direct – supports the truth of an assertion without an intervening inference Evidence

For example, a computer log-on record is direct evidence that a given account was used to log into a system at a given time, but is circumstantial evidence that the individual who owns the account was responsible. In order for the log-on record to ‘become’ direct evidence, it is necessary to: 1) demonstrate that nobody else had access to the individual’s computer or

password; 2) the account owner was the only person in the vicinity of the computer at the

time of the log on (e.g., by using building security logs).


• Circumstantial – aka indirect evidence – relies on inference to connect it to a conclusion

Evidence

Digital Evidence: Hearsay (cont.)

3) Hearsay – indirect evidence such as any statement made out of court & not under oath (generally not accepted in court)

digital evidence that is (may be) hearsay: any human generated data

example: emails, chat-logs, etc.

not easy to prove that statements / claims made in these documents are true unless confirmed by the person that has generated them

For instance, an email message may be used to prove that an individual made certain statements, but cannot be used to prove the truth of the statements it contains. Although Larry Froistad sent a message to an e-mail list indicating that he killed his daughter, investigators needed a confession and other evidence to prove this fact.


Computer Investigation Phases • Computer – in working with digital evidence, 4 investigation phases should be applied

assess – analyze the scope of investigation & adequate actions to be taken

acquire – gather, protect, & preserve original evidence

analyze – correlate digital evidence with events of interest that will help you make a case

report – gather & organize collected evidence/ information and write a report

Investigation Phases

http://technet.microsoft.com/en-us/library/cc162846.aspx

Computer Investigation Phases (cont.)

IT professionals who are unprepared for conducting a forensic computer investigation can easily ruing the suspect’s

data & make a case impossible to prosecute.

So, if you are not sure how to conduct a forensic investigation (e.g. which tools to employ) – don’t!,

or you might become subject of an investigation.

• Warnings!!!

Also, before beginning (each phase of) investigation, determine whether law enforcement should be involved.


Assess the Situation

Phase 1: 1) Notify Decision Makers & Get Authorization

to conduct a computer investigation, you need to obtain proper authorization unless existing policies and procedures provide incident response authorization 2) Review Applicable Policies and Laws

determine if you have legal authority to conduct an investigation, i.e. whether the organization have policies/procedures that address the privacy rights of employees, contractors, etc.

many companies state in their policies that there should be no expectation of privacy in the use of company’s equipment …


Phase 1: 3) Identify Investigation Team Members

organizations should establish a forensics team – possessing an appropriate set/blend of skills – as a part of incident res. / disaster rec. process

forensics team should be kept as small as possible to ensure data confidentiality and minimize the chances of unwanted information leaks

if the organization does not have personnel with necessary skills, a trusted external investigation team should be engaged 4) Conduct a Thorough Assessment

conduct a documented assessment of the situation (to prioritize necessary actions & justify resources for investigation), which would clearly identify:

impacted (& potentially) impacted parties

impact of the incident on current & potential business

number of networks & computers involved, etc.

Assess the Situation


Phase 1: Assess the Situation

4) Conduct a Thorough Assessment (cont.)

thorough assessment may require you to:

obtain the network topology documentation

capture network traffic over a period of time

use tools to examine the state of software applicat. & OSs on affected computers, etc.

best practices of assessment process:

build a timeline and map everything to it

securely store any records or logs generated

identify and interview anyone who might be involved; document all interview outcomes 5) Prepare for Evidence Acquisition

before you move on acquiring the data, ensure that you have generated proper documentation

understand that if the incident becomes more than an internal investigation, this documentation may be reviewed and/or used in court

Phase 2: 1) Build Computer Investigation Toolkit

to acquire data appropriately, a laptop/workstation with a range of software and hardware tools is needed, and typically should include:

write-protected backup devices

tools for creating bit-to-bit copy (image) of a hard drive – ideally a hardware duplicator

password recovery tools

cables

camera, …

ideally, such toolkits would be created in advance

for a more detailed list of tools see:

http://technet.microsoft.com/en-us/library/cc162846.aspx

Acquire the Data



Phase 2: 2) Collect the Data

create a bit-wise copy of the evidence in a backup destination, ensuring that the original data is write-protected

subsequent data analysis should be performed on this copy and not on the original evidence

verify the data you collect by creating a checksum and digital signatures when possible to prove that that the copied data is identical to the original

when you must capture volatile data, carefully consider the order in which you collect data - volatile data can be easily destroyed

e.g. running processes, data loaded into memory, routing tables and temporary files can be lost forever when the computer is shut down

you may need a combination of command-line tools + camera to capture some of volatile data

Acquire the Data


Phase 2: 3) Store and Archive

evidence must be stored and archived in a way that ensures its safety and integrity

best practices:

store the evidence in a tamperproof location

ensure no unauthorized personnel has access to the evidence

protect the storage from magnetic fields

make at least two copies of the evidence, and store one copy in a secure offsite location

clearly document ‘chain of custody’

Acquire the Data


• Bit-wise Copy – aka bit-stream copy or hard drive clone = bit-by-bit copy of original drive and is its exact duplicate

must be done in ‘hardware’, and is different from a simple back-up copy!

back-up software only copies files that are stored in a folder or are of a known file type

back-up software does NOT copy deleted files or e-mails or recover file fragments

manufacturer & model of the target drive should be the same as the original

if you replace the source disk with the target disk the system will work

hard drive image = clone content in a file

typically done in ‘software’

of a Hard Drive

http://www.itechnews.net/2010/04/01/startech-satdock22r-sata-hard-drive-duplicator/#more-36307


Phase 3: 1) Analyze Network Data

some investigations may require analysis of network (firewall, proxy server, IDS logs)

typically information to look for:

data and time of an event

IP address and username

resources being accessed, …

2) Analyze Host Data

some investigations may require that components of a host’s operating system be examined

in addition to the standard computer related info (make, ROM, RAM, etc.), other info to look for:

any malicious applications and processes, including those scheduled to run during the boot process

clock drift information, …

Analyze the Data


Phase 3: 3) Analyze Storage Media

storage media collected during Data Acquisition phase will contain many files – identify those that are relevant for investigation

when accessing files, use ‘file viewers’ instead of the original application that has created the file to avoid accidental damage (when possible) files stored in NTFS alternate data stream format may appear to contain 0 bytes when viewed through Windows Explorer

Windows Sysinternal Streams tool reveals such files http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx collect file meta-data – information on the time of file creation, last access, and last writing

tools to use: ProDiscover, FTK

Analyze the Data


Phase 4: 1) Gather and Organize Information

gather all documentation and notes from 3 earlier stages (Assess, Acquire, Analyze)

create a detailed list of all evidence collected

identify parts that are relevant to the investigation

identify parts that support your conclusions

2) Write the Report

organize the report in proper categories:

Purpose of Report

Author of Report

Incident Summary (in non-technical language)

Evidence (with information on what, who, when and how collected the digital evidence)

Details (describing what was analyzed, methods and tools used, and finding obtained)

Conclusion (including the reference to specific evidence that lead to this conclusion)

Report the Investigation

Computer Forensics - York University · from a suspect’s computer & determine whether the suspect: (a) committed a crime – in law enforcement incidents (b) violated a company

Documents