COEN 252 Computer Forensics. Data Analysis Techniques for Hard Drives. Data Analysis Techniques. Create forensic duplicate. Protect original as best evidence. Review image file (with tools). Report. Testify. Data Analysis Techniques.
COEN 252 Computer Forensics
Data Analysis Techniques for Hard Drives
Deleted files are overwritten if
Deleted files are overwritten if
Free, slack and unallocated space
Free: Outside of a partition.
Slack: Allocated, but unused overhang in the last cluster of a file
Unallocated: Not assigned to a current file.
The hard drive of a robbery suspect contains numerous references to his “little excursions”.
To tie the suspect to the computer, establish usage by suspect alone by:
The government introduced Internet conversations taken from Tucker's computer which showed that while he was looking for pictures he stated that he was into "young action" and would "like to start trading (3)27" and introduced a listing of Internet conversations documenting Tucker's trading of such images.
United States Court of Appeals, Eleventh Circuit.No. 97-2767
Windows NT, 2000, XP, 2003, 7 maintain log files
Event Log Dump
From forensics duplicate
(Forensics workstation will not interpret these.)
Internet Information Services (IIS) has its own set of logs.
A special agent of the Illinois Attorney General’s Office investigated a case involving child pornography. The agent located a shortcut file in the Windows/Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting child pornography to be displayed on the computer’s monitor when the shortcut was activated. Casey, p. 153
WinNT, 2000, XP
IF YOU MESS UP THE REGISTRY, YOU NEED TO REBUILD YOUR SYSTEM.
In a recent investigation by the Los Angeles County Sheriff’s Computer Crime Unit, a detective investigated an employee suspected of misappropriating confidential computer information stored by his company. When the detective examined one of the workplace computers, he found remnants of a key-trapping program in the registry. During an interview, the suspect admitted to having installed, used, and deleted the key-trapping program for the purposes of obtaining user names and passwords of coworkers.
Department of Consumer Affairs in Orange County, CA, arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiners had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiners requested a second review from the California Department of Insurance, Fraud Division, the Computer Forensics Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive were the enhanced metafiles. The defendant was convicted at trial. Casey, p. 163
To find rogue processes on a duplicate image
remote /s “cmd.exe” mysystem
remote /c “cmd.exe” mysystem
Remote Syslog Server logs
May 13 23:11:45 victim sshd: ROOT LOGIN REFUSED FROM www.scu.edu
May 13 23:19:03 victim in.tftpd: connect from 10.10.10.10
Other network logs
Logon attempt logs
[linuxbox] # ls –al
drwxr-x--- 5 root root 4096Dec 12 04:47 .
drwxr-x--- 5 root root 4096Dec 8 01:27 ..
-rw------- 1root root 108Dec 12 04:47.XAuthority
-rw-r--r-- 1root root 1198Aug 23 04:47.XDefaults
lrwxrwxrwx 1root tty 9 Dec 8 14:12.bash_history -> /dev/null
# grep root /etc/passwd
root:x:0:0:root: /root: /bin/bash
# grep PROMIC /sbin/ifconfig
Binary file /sbin/ifconfig matches
# grep –r –I password /
# find / -name “\.\.\.” –print
SECURITY INCIDENT EXAMPLE
# cp /bin/sh /tmp/break-acct
#chmod 4755 /tmp/break-acct
# find / \( -perm -00400 –o –perm -002000 \) –type f -print
Hide “bad” files
telnet2streamtcp nowait root /usr/sbin/tcpd in.telnetd