Lecture 3 initial assessment
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Lecture 3: Initial Assessment PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

Lecture 3: Initial Assessment. 6/4/2003 CSCE 590 Summer 2003. Collect the Most Volatile Evidence First. Memory Swap space or page file Network status and connections Processes running Storage media Removable media. Preparation. Assemble toolkits Clean your media

Download Presentation

Lecture 3: Initial Assessment

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Lecture 3 initial assessment

Lecture 3: Initial Assessment

6/4/2003

CSCE 590

Summer 2003


Collect the most volatile evidence first

Collect the Most Volatile Evidence First

  • Memory

  • Swap space or page file

  • Network status and connections

  • Processes running

  • Storage media

  • Removable media


Preparation

Preparation

  • Assemble toolkits

  • Clean your media

    • Before imaging evidence media to your media

    • # dd if=/dev/zero of={device}

    • Clean floppy: # dd if=/dev/zero of=/dev/fd0 bs=1024 # dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \> hashwindow=1024 hashlog=a:\hashlog.txt


Dd and dcfldd

dd and dcfldd

  • Low level command

  • Copies bit for bit

  • Does not ‘know’ data structure of data

  • Can copy:

    • Single file

    • Piece of a file

    • Partition

    • Logical or physical disks

    • From stdin and stdout

  • dcfldd – dd with integrated MD5 hashing


Dd and dcfldd usage

dd and dcfldd Usage

  • Typical arguments:

    • if=device input file or device

    • of=device output file or device

    • bs=# block size, amount of data transferred in one I/O operation (important on tape)

  • dcfldd

    • hashlog=a:\hashfile.txt

    • hashwindow=1024hash every 1024 bytes


Mystery tape block sizes

Mystery Tape Block Sizes

  • # dd if=device bs=128k of=/tmp/tapetest \ > count=1

    • Read data, using block size of 128k until it hits the first record gap

    • If 128k isn’t big enough, you get an error

    • Else, size of /tmp/tapetest = block size of tape

  • What kind of tape? tar, cpio, dump?

    • # file /tmp/tapetest


Splitting an image up

Splitting an Image up

  • Copy 600 One Megabyte blocks per image

  • # dd if=device of=media.slice1.img bs=102400 count=600

  • # dd if=device of=media.slice2.img bs=102400 count=600 skip=601

  • # dd if=device of=media.slice3.img bs=102400 count=600 skip=1201

  • # dd if=device of=media.slice3.img bs=102400 count=600 skip=1801


Typical unix devices

Typical UNIX Devices

  • /dev/fd0(floppy)

  • /dev/st0(tape)

  • /dev/hdafirst IDE hard drive

  • /dev/hdbsecond IDE hard drive

  • /dev/sdafirst SCSI hard drive

  • /dev/sdbsecond SCSI hard drive


Network dd

Network dd

  • No local clean media on victim machine, can’t reboot yet

    • netcat (nc) and dd (may want encryption too)

    • Forensic rig with cleaned media:

      • # nc –l –p 31337 | dd of=(local clean media)

    • Victim system:

      • # dd if=(local physical disk) | nc –w 3 \> forensic.rig.net 31337

    • nc host port (send to host on port)

      • -w 3 (wait 3 milliseconds between packets)

      • -l (listen mode, send mode is default)

      • -p port (listen on port, use with listen mode)


Date and time

Date and Time

  • Windows

    • Date

    • Time

  • Unix

    • w

    • date


System configuration information

System Configuration Information

  • Windows:

    • psinfo

    • at

    • ‘net’ commands:

      • accounts, file, session, share, start, use, user, view

  • Unix

    • df –k

    • uname –a

    • ifconfig –a

    • uptime


Current users

Current Users

  • Windows

    • psloggedon

  • Unix

    • w

    • who


Network status and connections

Network Status and Connections

  • Windows

    • arp –aIP to physical addr

    • netstat –anpropen sockets

    • fportsocket processes

    • nbtstatsystems connected

  • Unix

    • arp –aIP to physical addr

    • netstat -anpropen sockets

    • lsof -isocket processes

    • Netstatsystems connected


Running processes

Running Processes

  • Windows

    • procinterrogate –list

    • pslist –xcheck other options too

  • UNIX

    • ps –wwwaux

    • ps –ef

    • lsof

    • kstat –Pfind LKM hidden processes

      • LKM = dynamically Loadable Kernel Modules like device drivers)

      • kstat –s finds clues of LKM rootkits

    • /prockernel data structures for processes


Swap space or page file

Swap Space or Page File

  • When there isn’t enough memory, chunks of processes will be paged out to disk

  • Older systems, entire processes are swapped out to disk

  • Windows:

    • copy c:\pagefile.sys d:

    • copy c:\win386.swp d:win9x

  • Unix:

    • Can get it when imaging whole drive


Memory

Memory

  • Windows:

    • Don’t use book’s method

    • Modified dd at:

      • http://users.erols.com/gmgarner/forensics/

    • # dd if=\\.\PhysicalMemory conv=noerror \> | nc forensic.rig.net 31337

    • Or use pmdump

  • Unix

    • # dd if=/dev/mem | nc forensic.rig.net 31337

    • # dd if=/dev/kmem | nc forensic.rig.net 31337

    • # dd if=/dev/kcore | nc forensic.rig.net 31337


Storage media

Storage Media

  • Imaging to work on copies

  • Use MD5 hashes

  • Write blockers

    • Software

    • Hardware

    • busTRACE: http://www.bustrace.com/ for live imaging


Removable media

Removable Media

  • Make to sure to flush pending writes (sync) to removable media before removing

  • Can be imaged like storage media


Physical collection issues

Physical Collection Issues

  • Don’t overlook fingerprints on keyboard and mouse to place person at keyboard

  • Evidence exposed to hazardous material, chemical weapons, toxic waste

    • Have it evaluated and approved by HAZMAT experts

  • Organic chemicals, biological matter, fingerprint, or other forensic tests:

    • Fingerprinting process (cyanoacrylate) will severely damage electronic media

    • Scraping can physically damage media (floppy)


Wet media

Wet Media

  • Soaked or immersed electronic media:

    • Keep it immersed in distilled water

    • Drying in uncontrolled conditions can lead to deposits

    • photograph any paper labels on magnetic media before immersion in distilled water

  • Tape or floppy just a little wet

    • seal in plastic bag, don't immerse

  • Paper, cellulose based media, printouts:

    • freeze or freeze dry if wet


Wet media1

Wet Media

  • Flood damage

    • Immerse and flush with clean water

    • Salt water:

      • Place in container or plastic bag with enough ocean water to keep it immersed

      • Immerse and flush it in distilled water ASAP

  • Immersion may cause biological evidence to deteriorate

    • Separate samples before immersion if they are plentiful or it is easy

    • Be aware and make judgment calls


Tape physical issues

Tape: Physical Issues

  • Age, disuse, poor storage conditions

    • Layers can become sticky and stick together or to the read head

    • Static buildup increases read error rates

    • Unrolling untreated tape can cause oxide layer to be torn from substrate

  • Collect all pieces, can help with splices

  • Ship to lab to be processed and reconditioned


Lecture 3 initial assessment

  • Reading for Lectures 2-5:

    • Mandia/Prosise: Chapters 2-5, 9

    • Casey: Chapter 2 (in Reading Room)

  • Homework 1: Due Monday, June 9, 2003


  • Login