1 / 32

Computer Forensics BACS 371

Computer Forensics BACS 371. Evidentiary Methods II: Evidence Acquisition. OK, What do we do first?. Basic Forensic Methodology. Acquire the evidence (legally) Authenticate that it is the same as the original Analyze the data without modifying it. Photographing Systems.

yeo-clayton
Download Presentation

Computer Forensics BACS 371

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer ForensicsBACS 371 Evidentiary Methods II: Evidence Acquisition

  2. OK, What do we do first?

  3. Basic Forensic Methodology • Acquire the evidence (legally) • Authenticate that it is the same as the original • Analyze the data without modifying it

  4. Photographing Systems Before you do anything, begin documentation by photographing all aspects of the system… • Monitor • Desk and surrounding area • All 4 sides of PC • Labeled cables still connected

  5. Evidence Acquisition Process1 • Disassemble the Case of the Computer • Identify storage devices that need to be acquired (internal/external/both) • Document internal storage devices and hardware configuration • Drive condition (make, model, geometry, size, jumper settings, location, drive interface, …) • Internal components (sound card, video card, network card – including MAC address, PCMCIA cards, … • Disconnect storage devices (power, data, or both) • Controlled boots • Capture CMOS/BIOS info (boot sequence, time/date, passwords) • Controlled boot from forensic CD to test functionality (RAM, write-protected storage, …) • Controlled boot to capture drive config (LBA, CHS, …) 1Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf

  6. Forensic Analysis CYA • Virus Check • Forensic computer • Media being processed • Collect System Information • Complete computer hardware inventory • CHKDISK/SCANDISK • Look for “orphan clusters” • “Tech” Program for Forensic computer

  7. Role of the First Responder • Scene of the Cybercrime1 • Do No Harm! • Identify the Crime Scene • Protect the Crime Scene • Preserve Temporary and Fragile Evidence • A guide for First Responders2 • Secure and Evaluate the Scene • Document the Scene • Collect Evidence • Packaging, Transportation, and Storage of Evidence • Forensic Examination 1Scene of the Cybercrime, Shinder & Tittel, p.553 2Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001

  8. Role of Investigators1 • Establish Chain of Command • Conduct Crime Scene Search • Maintain Integrity of Evidence 1Scene of the Cybercrime, Shinder & Tittel, p.554

  9. Role of Crime Scene Technician1 • Preserve volatile evidence and duplicate disks • Shut down systems for transport • Tag and log evidence • Transport evidence • Process evidence 1Scene of the Cybercrime, Shinder & Tittel, p.555

  10. Computer Seizure Checklist1 • Photograph the monitor • Preserve Volatile Data • Shutdown Systems • Photograph the System Setup • PC – all sides • Label all connections • Unplug system and peripherals – mark & tag • Bag and tag all components • Bitstream Copy of Disk(s) - (offsite usually) • Verify integrity of copies - (offsite usually) 1Scene of the Cybercrime, Shinder & Tittel, p.557

  11. Handling, Transportation, Storage • Static Electricity • External RF signals • Heat • Humidity • Sunlight

  12. Evidence Logs • Lists all evidence collected • Description of each piece of evidence with serial numbers & other ID information • Identifies who collected the evidence and why • Date and Time of collection • Disposition of Evidence • All transfers of custody

  13. Evidence Analysis Logs • How each step is performed • Who was present • What was done • Result of procedure • Time/date • Document all potential evidence • Filename • Where on disk data are located • Date and time stamps • Network information (MAC address, IP address) • Other file properties (metadata)

  14. Preserve Volatile Data1 • Order of Volatility2 • Registers and Cache • Routing Table, ARP Cache, Process Table, Kernel Statistics • Contents of System Memory (RAM) • Remote Logging and Monitoring Data • Physical Configuration, Network Topology • Temporary File Systems • Data on Disk • Archival Media 1Scene of the Cybercrime, Shinder & Tittel, p.559 2Guidelines for Evidence Collection and Archiving, IEEE, February 2002

  15. Collecting Volatile Data

  16. netstat – current network connections

  17. nbstat– NetBIOS name resolution

  18. arp – addresses in ARP cache

  19. ipconfig – state of network

  20. Foundstone Tools

  21. Things to Avoid1 • Don’tShutdown until volatile evidence has been collected • Don’t trust the programs on the system – use your own secure programs • Don’t run programs which modify access times of files 1Guidelines for Evidence Collection and Archiving, IEEE, February 2002

  22. Acquire the EvidenceTo shutdown, or to not shutdown, that is the question! • Do so Withoutdamaging or altering the original • Should you let the machine run, or pull the plug?? • Run • Retains maximum forensic evidence • Pull Plug • Removes a compromised computer from potentially affecting the whole network • How to pull the plug • From the back of the PC • When the hard drive is not spinning • Sound • Drive Light • Vibration

  23. Making Backups • File Backup vs. Bitstream Copy • Use Forensically Sterilemedia • Make 2 backup copies (one to work with and one to store) • Don’t access the original again!

  24. Level of Effort to Protect Evidence… If the evidence is going to be used in court VS. If the evidence is going to be used for internal investigation • Evidence method should be the same for both situation in case it ever goes to court • The more documentation the better

  25. MD5 Hashing • Wikipedia Entry • Cryptographic Hash Function • A hash function must be able to process an arbitrary-length message into a fixed-length output • Hash Function • Hash Collision • Check Digit • Cyclic Redundancy Check (CRC)

  26. Integrity of Evidence+ +Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org (Oct 25, 2005)

  27. Hashing Algorithms1 1Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 305

  28. MD5 Hash “[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”1 1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

  29. MD5 Hash • 128-bit number representing a “fingerprint” of a file • Odds of two different files having the same MD5 Hash are 1 in 2128 • MD5 issues??? • Collisions – Two different files generating the same hash http://marc-stevens.nl/research/md5-1block-collision/md5-1block-collision.pdf • SHA Collisions http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf

  30. Hash Try It… • http://bitsum.com/md5-sha1-sha2-sha-ripemd-whirlpool-secure-hash.php • http://bfl.rctek.com/tools/?tool=hasher • http://www.digital-detective.co.uk/freetools/md5.asp • http://www.miraclesalad.com/webtools/md5.php

  31. Admissibility of Evidence The whole point of all of this is to make sure that the evidence is admissible. Which means it is… • Relevant • Substantiates an issue that is in question in the case • Competent • Reliable and credible • Obtained legally

  32. 5 Mistakes of Computer Evidence • Turn on the Computer (don’t do it!) • Get Help from the Computer Owner • Don’t Check for Computer Viruses • Don't Take Any Precautions In The Transport of Computer Evidence • Run Windows To View Graphic Files and To Examine Files 1Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson

More Related