CSI Georgia: Introduction to Computer Forensics - PowerPoint PPT Presentation

Gabriel
csi georgia introduction to computer forensics l.
Skip this Video
Loading SlideShow in 5 Seconds..
CSI Georgia: Introduction to Computer Forensics PowerPoint Presentation
Download Presentation
CSI Georgia: Introduction to Computer Forensics

play fullscreen
1 / 54
Download Presentation
CSI Georgia: Introduction to Computer Forensics
652 Views
Download Presentation

CSI Georgia: Introduction to Computer Forensics

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CSI Georgia: Introduction toComputer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ brent@speakwisdom.com KSU ETTC http://edtech.kennesaw.edu

  2. Objectives • Gain Basic Knowledge • What is Computer Forensics? • What are Concepts? • What are Procedures? • What Not to do? • Learn Some Basic Techniques • Raise Level of Awareness

  3. Caveat • This workshop is not dispensing legal advice • Use what you hear, read, and do in this class at your risk • Consider this class a starting point • There is much more to learn about computer forensics

  4. Be a Professional • Cell Phones and Pagers on Silent • Take Notes – Treat this like a College Level Course • Ask Questions – Take full advantage of this opportunity • Help your neighbor

  5. Organizations • High Technology Crime Investigation Association • www.htcia.org • Atlanta HTCIA • www.atlhtcia.org • Southeast Cybercrime Summit • March 19-23, 2007 • www.southeastcybercrimesummit.com

  6. Places & Products • Access Data (FTK) • www.accessdata.com • X-Ways Forensics (winhex) • www.x-ways.com • ProDiscover • www.techpathways.com • Helix • www.e-fense.com

  7. Certification • Certified Computer Examiner • http://www.certified-computer-examiner.com/index.html • More • Books

  8. The Need for Computer Forensics • High-Tech Crimes are Increasing • Computer Forensics Has Come Into Its Time • Computer Crimes Happen in All Environments • Business • Home • Schools

  9. Concerns • Pornography • Child Pornography • Emails • Instant Messages • Web-sites (MySpace) • Bullying • Emotionally Troubled

  10. Flash Memory What role will it play in your school?

  11. PDA’s and Cell Phones • Palm • Fading? • Lots of aps and storage (flash) • Infrared and BlueTooth beaming • Windows Mobile • Catching on • Lots of storage (flash) • Familiar interface • Easily networked • Feature • WiFi, Bluetooth, EVDO (CDMA) • VGA display

  12. Ideal Forensics Background • Legal, Technical and Law Enforcement • Missing Skills? Build a Team! • Attorney or Legal Advisor • Strong “geek” • Vast knowledge required • School Law Enforcement Person • Others?

  13. Main Forensics Emphasis • Identify the Evidence • Determine how to preserve the evidence • Extract, process, and interpret the evidence • Ensure that the evidence is acceptable in a court of law

  14. Evidence • Computer evidence is fragile • Evidence is easily planted • Journaling is critical • Must be able to show chain • See www.cybercrime.gov

  15. Rules • Law enforcement works under more restrictive rules • More latitude in schools/businesses • Follow “Best Practices” • You lose control when authorities are brought in • Discover child porn? Call police.

  16. What to Prosecute • Decision Factors • Amount of Harm Inflicted is decision factor • Need to discourage future activity • Successful Investigation? • Evidence collected correctly • Chain preserved

  17. Evidence • Can include electronic data • Can include devices • Computers • CD-ROMs • Floppies • Cellular Telephones • Pagers • Digital Cameras

  18. Get Training • Multiple levels of expertise • Learn basic procedures • Gain expertise in technical areas • Get certified • Get degree

  19. Forensics in School Systems • Security and Forensics projects don’t generate revenue • Or FTEs • Hard to get “higher up” to understand need • Shoestring budget • Money for training • Consider forensics/data recovery

  20. End User Training • Users need to be aware • School system policies • Expectation of privacy • Consequences for surfing/storing bad stuff • Social Engineering • Spyware • Laws • Requirements to guard information • Illegal Activities

  21. “A computer Forensics Technician is a combination of private eye and computer scientist.”

  22. Know your hardware • Servers • Workstations • PDAs • CD-ROM, CD/DVD, Zip • Webcams • Modems • Key Loggers • USB Devices • Firewire/Bluetooth • Wireless

  23. Know your operating system • Windows • 9x, 2000, 2003, XP • Unix/Linux • OS X • DOS

  24. Know the File System • FAT • NTFS • EXT2/EXT3

  25. Auditing and Logging in an OS • Event viewer • Auditing

  26. Will this End Up in Court • Assume your case will! • Courts require ample unaltered evidence • Evidence must be processed properly • Specially trained teams should conduct investigation

  27. Types of Evidence • Real Evidence • Documentary evidence • Testimonial evidence • Demonstrative evidence

  28. Evidence Gathering • Photograph scene • Record details in notebook • PC model and serial • Hard-drive model and serial • Note conditions around PC • Get BIOS date and time • Power-off or Shut-down? • Remove Hard Drive • Image on scene or at lab

  29. Evidence Gathering • Have secure-erased drives ready • Get Suspect Drive Image • Attach a write-blocker • Get two or more images of the drive • Seal original drive • Place a copy of the drive back in the PC • Original drive should be locked away

  30. Preparing an Evidence Drive • Use USB drive case

  31. Preparing an Evidence Drive • Use large drives • Have several • Secure erase all drives • Record date, time, and method • Store in locked area • Software? • Winhex (free) • www.x-ways.net

  32. LAB 1A PREPARE EVIDENCE DRIVE Install WinHex Connect Evidence Drive to Analysis PC WinHex Pro Select Physical Media (not Logical Drive) Edit / Fill Sectors / hex 00 Will take several minutes (25 min for 40Gb)

  33. Image Options IMAGING SUSPECT PC Image Options 1. Remove HD from Suspect, place as Slave in Analysis PC IDE or SATA connection Use Write Blocker, Winhex 2. Remove HD from PC, Attach Write Blocker Connect to analysis PC, Winhex 3. Boot from CD, Image to USB drive Helix Certified not to write to suspect drive

  34. Sources for Write Blockers • www.digitalintelligence.com • www.blackbagtech.com • www.forensicpc.com

  35. The Best Approach • Remove Drive, write block, attach to analysis PC • Get image • Multiple copies • Image Type • Drive to Drive • Drive to Image File (DD)

  36. Alternative: • Boot suspect PC with Helix • Easiest for laptops • Attach USB evidence drive • Use AIR or similar tool to image drive

  37. Lab 1B: Image to Drive Put WinHex on Analysis PC Mount HD0 (Drive) Image to USB Evidence Drive Boot PC with Helix CD Open terminal window Dcfldd if=/dev/hda of=/dev/sda Speed: 4 min per GB Use AIR Boot from Helix CD (Turn off evidence drive for next step)

  38. Lab 1C: Image to File • Use flash key as suspect drive • Mount flash key in WinHex • Get image (file) and hash • Verify hash of image file

  39. What is the Hash (MD5) • Used to verify that image is accurate • MD5 suspect drive or partition • MD5 image • Should match • Record!

  40. Analysis • While booted in Windows • Examine Helix • Install and use ExifPro • Windows Search • Show Hidden Files • While booted in Helix • Find Files • Show Images • Prodiscover

  41. LAB 3A – Examine Image with Windows • MyComputer • Search • Wrong Extension? • Encrypted? • Helix Utilities

  42. LAB 3B – Inspect Image File • USING WINHEX TO INSPECT IMAGE FILE from DVD • Open Image File in WinHex • Tools / Disk Tools / File Recover By Type • Pick JPG, other? • Write results to folder on C:

  43. Email - Outlook Express • Local Settings\Application Data\Identities\…\Microsoft\Outlook Express • OE Reader (free) • Mail stored in .dbx files

  44. LAB 4 – Examine PC with Helix • Examine PC with Helix Windows • System Information • Drive letter discrepancy? • Incident Response • Windows Forensics Toolchest • Security Reports • (others want NetCat) • Scan for Images • (no path information) • Windows Search (for files) • Disk Management (for drives, partitions)

  45. Lab 5 – Examine while Booted with Helix • Look for files • Look for images

  46. Passwords and Encryption • NTPassword • http://home.eunet.no/pnordahl/ntpasswd/ • Password Tools • http://www.passwordportal.net/ • http://www.brothersoft.com/downloads/crack-password.html • http://www.elcomsoft.com/index.html • http://www.accessdata.com/

  47. LAB 6 – PRODISCOVER • Create Case • View Report progress • Add Image of C: Partition • View Report progress • Content View • Examine Deleted Files • Click check box on interesting file • Make comment • View Report progress • Look in badpics2 folder • Gallery view • Examine Cluster View

  48. LAB 6A – PRODISCOVER • Content Search • Search for pattern • Drugs, sex, etc. • Click Search Results • Note docs and email! • Check and interesting file and comment • Review Report • Search for Files Named… • Search for *.jpg

  49. LAB 6B - PRODISCOVER • What about files with wrong ext? • Pick Folder on Left Side • Tools – Signature Matching • Sig file is Headersig.txt • Match recursively • Highlight and add to report • View Report • Drill into folder with mismatch – note highlight • Export Report