1 / 42

91.580.203 Computer Network Forensics

Dr. Xinwen Fu. 2. Outline. Prepare a caseConduct an investigationComplete a caseCritique a case . Dr. Xinwen Fu. 3. . Course Outline. Incident occurs: Point-in-Time or Ongoing. . . pre-incidentpreparation. DetectionofIncidents. Initial Response. FormulateResponseStrategy. DataCollection. DataAnalysis.

jerrod
Download Presentation

91.580.203 Computer Network Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 91.580.203 Computer & Network Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation

    2. Dr. Xinwen Fu 2 Outline Prepare a case Conduct an investigation Complete a case Critique a case

    3. Dr. Xinwen Fu 3 Course Outline Incident occurs: Point-in-Time or Ongoing Pre-incident preparation: Take actions to prepare the organization and CSIRT before an incident occurs Detection of incident: Identify a potential computer security incident Initial response: Perform an initial investigation, recording the basic details surrounding the incident, assembling the incident response team, and notifying the individuals who need to know about the incident Formulate response strategy: Based on the results of all the known facts, determine the best response and obtain management approval. Determine what civil, criminal, administrative, or other actions are appropriate to take, based on the conclusions drawn from the investigation Investigate the incident: perform a thorough collection of data. Review the data collected to determine what happened, when it happened, who did it, and how it can be prevented in the future. Reporting: Accurately report information about the investigation in a manner useful to decision makers. Resolution: Employ security measures and procedural changes, record lessons learned, and develop long-term fixes for any problems identified. Pre-incident preparation: Take actions to prepare the organization and CSIRT before an incident occurs Detection of incident: Identify a potential computer security incident Initial response: Perform an initial investigation, recording the basic details surrounding the incident, assembling the incident response team, and notifying the individuals who need to know about the incident Formulate response strategy: Based on the results of all the known facts, determine the best response and obtain management approval. Determine what civil, criminal, administrative, or other actions are appropriate to take, based on the conclusions drawn from the investigation Investigate the incident: perform a thorough collection of data. Review the data collected to determine what happened, when it happened, who did it, and how it can be prevented in the future. Reporting: Accurately report information about the investigation in a manner useful to decision makers. Resolution: Employ security measures and procedural changes, record lessons learned, and develop long-term fixes for any problems identified.

    4. Dr. Xinwen Fu 4 Preparing a Computer Investigation Role of a computer forensics professional Gather evidence to prove if a suspect committed a crime or violated a company policy Maintain valid evidence that can be offered in court or at a corporate inquiry Follow an accepted scientific procedure to prepare a case

    5. Dr. Xinwen Fu 5 Things to Do while Preparing a Case Assessing the case Planning the investigation Securing evidence

    6. Dr. Xinwen Fu 6 1. Assessing the Case Systematically outline the case details: Nature of the case: public/private Type of evidence Location of evidence Based on case details, you can determine the case requirements: Computer forensics tools Special OSs

    7. Dr. Xinwen Fu 7 2. Planning your Investigation - Steps Acquire the evidence Complete an evidence form and establish a chain of custody The route the evidence takes from the time you find it until the case is closed or goes to court Prison break the video tape case: Michael Scofield and Lincoln Burrows Lincoln Burrows is lured to kill somebody When he pulls out of the gun in a garage, the victim is already dead All is taped The tape is manipulated so that it seems that Lincoln fires A basic investigation plan should include the following activities:A basic investigation plan should include the following activities:

    8. Dr. Xinwen Fu 8 Single-Evidence Form

    9. Dr. Xinwen Fu 9 2. Planning your Investigation (Cont.) Secure evidence in an approved secure container Transport evidence to a computer forensics lab Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools

    10. Dr. Xinwen Fu 10 3. Securing your Evidence Use evidence bags to secure and catalog the evidence Use computer safe products Antistatic bags/pads Use well-padded containers Use evidence tape to seal all openings Floppy disk or CD drives Power supply electrical cord Write your initials on tape to prove that evidence has not been tampered Consider computer-specific temperature and humidity ranges

    11. Dr. Xinwen Fu 11 Objectives Prepare a case Conduct an investigation Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis Complete a case Critique a case

    12. Dr. Xinwen Fu 12 Setting Up Specific Workstation for Collecting Evidence Why is DOS needed sometimes for acquiring data? Windows may contaminate files during maintenance Set up Windows 98 workstation to boot into MS-DOS (P. 40) Display a Startup menu Modify Msdos.sys file using any text editor Install a computer forensics tool DriveSpy and Image

    13. Dr. Xinwen Fu 13 Conducting an Investigation Begin by copying the evidence using a variety of methods Recall that no single method retrieves all data The more methods you use, the better

    14. Dr. Xinwen Fu 14 Gathering the Evidence Take all necessary measures to avoid damaging the evidence Place the evidence in a secure container Complete the evidence custody form Transport the evidence to the computer forensics lab Create forensics copies (if possible) Secure evidence by locking the container

    15. Dr. Xinwen Fu 15 Understanding Data-Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and data-recovery are related but different Computer forensics workstation Specially configured personal computer To avoid altering the evidence, use: Write-blockers devices Forensics boot floppy disk

    16. Dr. Xinwen Fu 16 Objectives Prepare a case Conduct an investigation Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis Complete a case Critique a case

    17. Dr. Xinwen Fu 17 Understanding Bit-stream Copies Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files or e-mail messages, or recover file fragments

    18. Dr. Xinwen Fu 18 Understanding Bit-stream Copies (Cont.) A bit-stream image file contains the bit-stream copy of all data on a disk or partition Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model

    19. Dr. Xinwen Fu 19 Understanding Bit-stream Copies (Cont.)

    20. Dr. Xinwen Fu 20 Objectives Prepare a case Conduct an investigation Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis Complete a case Critique a case

    21. Dr. Xinwen Fu 21 Creating a Forensic Boot Floppy Disk Goal is not to alter the original data on a disk A computer access files during startup. So what? Preferred way to preserve the original data is to never examine it Make forensic copies Create a special boot floppy disk that prevents OS from altering the data when the computer starts up Windows 9x can also alter other files, especially if DriveSpace is implemented on a file allocation table (FAT) 16 disk When the boot process accesses files on the hard disk, it changes their date and time stamps, which can jeopardize an investigation especially if a goal in the investigation is to determine when the computer was last used.When the boot process accesses files on the hard disk, it changes their date and time stamps, which can jeopardize an investigation especially if a goal in the investigation is to determine when the computer was last used.

    22. Dr. Xinwen Fu 22 Assembling the Tools for a Forensic Boot Floppy Disk Tools: Disk editor such as Norton Disk Edit or Hex Workshop Floppy disk MS-DOS OS Computer that can boot to a true MS-DOS level Forensics acquisition tool Write-block tool

    23. Dr. Xinwen Fu 23 Assembling the Tools for a Forensic Boot Floppy Disk (Cont.) Steps: Make the floppy disk bootable Update the OS files to remove any reference to the hard disk (using Hex Workshop or Norton Disk Edit) (P. 50) - in order to prevent the access of c:\ Modify the command.com file on the floppy disk Modify the Io.sys file on the floppy disk to disable Drivespace Add computer forensic tools Test your floppy disk Create several backup copies

    24. Dr. Xinwen Fu 24 Objectives Prepare a case Conduct an investigation Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis Complete a case Critique a case

    25. Dr. Xinwen Fu 25 Retrieving Evidence Data Using a Remote Network Connection Bit-stream image copies can also be retrieved from a workstation’s network connection Software: SnapBack EnCase R-Tools Can be a time-consuming process even with a 1000-Mb connection It takes less using a NIC-to-NIC connection

    26. Dr. Xinwen Fu 26 Objectives Prepare a case Conduct an investigation Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis Complete a case Critique a case

    27. Dr. Xinwen Fu 27 Review of Hash Algorithms Also known as Message digests One-way transformations One-way functions Hash functions Length of H(m) much shorter then length of m Usually fixed lengths: 128 or 160 bits (16 bytes or 20 bytes)

    28. Dr. Xinwen Fu 28 Applications of Hash Functions Download software from the Internet Listed MD5 hash on the web Calculated MD5 hash of the download Hash as the identity of a file GPG4Win - EMail-Security using GnuPG for Windows http://www.gpg4win.org/

    29. Dr. Xinwen Fu 29 Applications of Hash Functions (Cont.) Primary application Verify digital signature

    30. Dr. Xinwen Fu 30 Copying the Evidence Disk Recall a forensic copy is an exact duplicate of the original data Create a forensic copy using: MS-DOS Specialized tool such as Digital Intelligence’s Imager First, create a bit-stream image Then, copy the image to a target disk

    31. Dr. Xinwen Fu 31 Creating a Bit-stream Image with FTK Imager Functions Create the image of a physical drive Extract the image from a bit-stream image file Analyze the image Forensic Software Downloads, link Forensic Toolkit®(FTK™) version  FTK Imager version or FTK Imager Lite version 1 Known File Filter Library File version (not necessary)

    32. Dr. Xinwen Fu 32 Creating a Bit-stream Image with FTK Imager (Cont.) Start Forensic Toolkit (FTK) Imager by double-clicking the icon on your desktop Click File, Image Drive from the menu; insert floppy disk labeled “Domain Name working copy #2” In the dialog box that opens, click the A: drive to select a local drive, then click OK A wizard walks you through the steps Accept all the defaults Specify the destination folder If necessary, create a folder called Forensics Files Name the file Bootimage.1

    33. Dr. Xinwen Fu 33 FTK Imager: Create Image

    34. Dr. Xinwen Fu 34 FTK Imager: Read Image

    35. Dr. Xinwen Fu 35 Analyzing Your Digital Evidence by Forensic Toolkit®(FTK™) Your job is to recover data from: Deleted files File fragments Complete files Deleted files linger on the disk until new data is saved on the same physical location Tools: Digital Intelligence’s DriveSpy AccessData’s FTK

    36. Dr. Xinwen Fu 36 Analyzing Your Digital Evidence (Cont.)

    37. Dr. Xinwen Fu 37

    38. Dr. Xinwen Fu 38 In-Class Exercise Form the group Check the checksums (MD5 and SHA1) of the downloaded gpg4win-1.1.3.exe by using WinPT within gpg4win Play with FTK and search around the image

    39. Dr. Xinwen Fu 39 Objectives Prepare a case Conduct an investigation Complete a case Critique a case

    40. Dr. Xinwen Fu 40 Completing the Case You need to produce a final report State what you did and what you found You can even include logs from the forensic tools you used If required, use a report template The report should show conclusive evidence that the suspect did or did not commit a crime or violate a company policy

    41. Dr. Xinwen Fu 41 Objectives Prepare a case Conduct an investigation Complete a case Critique a case

    42. Dr. Xinwen Fu 42 Critiquing the Case Ask yourself the following questions: How could you improve your participation in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been?

    43. Dr. Xinwen Fu 43 Critiquing the Case (Cont.) Questions continued: What feedback has been received from the requesting source? Did you discover any new problems? What are they? Did you use new techniques during the case or during research?

More Related