Information Systems 365/765 Lecture 8 Digital Forensics
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Systems 365/765Lecture 8
Digital Forensics
Digital Forensics• Also known as
Computer Forensics• A system in your
enterprise has been compromised
• You want to track down suspicious activity
• Where do you begin?
Digital Forensics• Defined: Pertains to legal
evidence found in computers and digital storage mediums.
• Goal: To explain the current state of a “digital artifact.”
• A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.
Digital Forensics
• Can be as simple as retrieving a single piece of data
• Can be as complex as piecing together a trail of many digital artifacts
Why Use Digital Forensics?
• In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
Why Use Digital Forensics?
• To recover data in the event of a hardware or software failure.
• To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
Why Use Digital Forensics?• To gather evidence against
an employee that an organization wishes to terminate.
• To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
Chain of Custody• “Chain of Custody”
is a fancy way of saying “The ability to demonstrate who has had access to the digital information being used as evidence”
• Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law.
Chain of Custody• One of the most important measures
is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court.
5 Steps in Performing Digital Forensics
• Preparation (of the investigator, not the data)
• Collection (the data)
• Examination • Analysis • Reporting
Preparation
• The investigator must be properly trained to perform the specific kind of investigation that is at hand.
• Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
Collecting Digital Evidence
• Digital evidence can be collected from many obvious sources, such as:
• Computers• Cell phones• Digital cameras • Hard drives • CD-ROM • USB storage flash drives
Can You Think of Non-Obvious Sources?
• Non-obvious sources could include:• Settings of digital thermometers• Black boxes inside automobiles• RFID tags• Web pages (which must be
preserved as they are subject to change).
!!BE CAREFUL!!• Special care must be taken when
handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.
Create Proof of Non-Alteration
• For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
Important Data Handling Practices
• Handle the original evidence as little as possible to avoid changing the data.
• Establish and maintain the chain of custody.
• Documenting everything that has been done.
• Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
The Personal Interview• Some of the
most valuable information obtained in the course of a forensic examination will come from the computer user:
• System configuration
• Applications• Encryption keys
Who Performs the Analysis
• Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data.
• One should not examine digital information unless one has the legal authority to do so.
Live vs. Dead Analysis
• Traditionally computer forensic investigations were performed on data at rest---for example, the content of hard drives. This can be thought of as a dead analysis.
Live vs. Dead Analysis• Investigators were
told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
Live vs. Dead Analysis
• In recent years there has increasingly been an emphasis on performing analysis on live systems
• Why? -- Some attacks leave no trace on the hard drive
• Why? -- Cryptographic storage, with keys only stored in memory!
Live Analysis -- Imaging Electronic Media
• The process of creating an exact duplicate of the original evidenciary media is often called Imaging
• Standalone hard-drive duplicator or software imaging tools ensure the entire hard drive is completely duplicated.
Live Analysis -- Imaging Electronic Media
• During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
Collecting Volatile Data
• If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded.
• If information stored solely in RAM is not recovered before powering down it may be lost.
A Great Tool Which YOU Can Impress People With
• Knoppix• An OS which runs directly from
a CD• Will not alter data on hard disk• Great for grabbing copies of
files from a hard disk!• Can be loaded from a USB
flash drive
Knoppix
• Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
Knoppix
Encase
Freezing Memory• RAM can be analyzed
for prior content after power loss
• Freezing the memory to -60 degrees Celsius helps maintain the memory’s charge (state)
• How practical is this?
Analysis • All digital evidence
must be analyzed to determine the type of information that is stored upon it
• FTK• Encase• Sleuth Kit
Analysis of Data• Comprised of:• Manual review of material on the
media• Reviewing the Windows registry for
suspect information • Discovering and cracking
passwords• Keyword searches for topics
related to the crime• Extracting e-mail and images for
review.
Reporting
• Written• Oral Testimony• Both• Subject matter
area specialists
Examples of Digital Forensics Cases
• Chandra Levy• Washington
D.C. Intern for Representative Gary Condit
• Vanished April 30, 2001
Examples of Digital Forensics Cases
• She had used the web and e-mail to make travel arrangements and communicate with her parents.
• Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.
Examples of Digital Forensics Cases
• BTK Killer• Convicted of a string of
serial killings that occurred over a period of sixteen years
• Towards the end of this period, the killer sent letters to the police on a floppy dsk.
Examples of Digital Forensics Cases
• Metadata is defined as “data about data”
• Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"
• This evidence helped lead to Dennis Rader's arrest.
Related Documents
