King Fahd University of Petroleum Minerals College of

King Fahd University of Petroleum & Minerals College of Computer Science & Engineering SEC 511 Principles of Information Assurance and Security Lecture 10 Computer and Network Forensics These slides are based on: Computer Forensics Slides, Bassel Kateeb, Tim Altimus Chapter 19: Computer Forensics Chapter 20: Network Forensics Computer and Information Security Handbook, John Vacca.

Definition n What is Computer Forensics? ? n n n Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Evidence might be required for a wide range of computer crimes and misuses Multiple methods of n n n Discovering data on computer system Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity

Definition (Cont) n What Constitutes Digital Evidence? n n n Any information being subject to human intervention or not, that can be extracted from a computer. Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. Computer Forensics Examples n n Recovering thousands of deleted emails Performing investigation post employment termination Recovering evidence post formatting hard drive Performing investigation after multiple users had taken over the system

Reasons For Evidence n Wide range of computer crimes and misuses n Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: n n n Theft of trade secrets Fraud Extortion Industrial espionage Possession of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Forgery: unauthorized copying Perjury: making a misrepresentation under oath.

Reasons for Evidence (Cont) n Computer related crime and violations include a range of activities including: n Business Environment: n Theft of or destruction of intellectual property Unauthorized activity n Tracking internet browsing habits n n n Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy

Who Uses Computer Forensics? n Criminal Prosecutors n n Civil Litigations n n Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies n n Rely on evidence obtained from a computer to prosecute suspects and use as evidence Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) Private Corporations n Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases

Who Uses Computer Forensics? (cont) n Law Enforcement Officials n n Rely on computer forensics to backup search warrants and post-seizure handling Individual/Private Citizens n Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

FBI Computer Forensics Services n n n n Comparison again known data Transaction sequencing Extraction of data Recovering deleted data files Format conversion Keyword searching Decrypting passwords Analyzing and comparing limited source code

FBI Computer Forensics Services

FBI Computer Forensics Services n During the past year, FBICFL: n n n Processed 1, 756 terabytes of data; Conducted 4, 524 forensic examinations; Assisted 591 onsite law enforcement operations; Trained 4, 991 law enforcement officers in digital forensics techniques; Appeared in court 74 times to testify at trial. Examined 58, 609 pieces of digital media of all kinds. The most popular types included: n n n CDs and hard drives (about 17, 500 each); floppy disks (10, 982); DVDs (4, 310); flash media (2, 548); and cell phones (2, 226). Other items included digital cameras, GPS devices, and video and audio tapes.

Steps of Computer Forensics n Computer Forensics is a four step process n Acquisition n n Identification n n This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites Evaluation n n Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court Presentation n This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws

Admissibility of Evidence n n Legal rules which determine whether potential evidence can be considered by a court Must be obtained in a manner which ensures the authenticity and validity and that no tampering had taken place The five rules are that evidence must be: n n n Admissible: Must be able to be used in court or elsewhere. Authentic: Evidence relates to incident in relevant way. Complete: No tunnel vision, exculpatory evidence for alternative suspects. Reliable: No question about authenticity and veracity. Believable: Clear, easy to understand, and believable by a jury.

Admissibility of the Techniques n n Whether theory or technique has been reliably tested Whether theory or technique has been subject to peer review and publication What is the known or potential rate of error of the method used? Whether theory or method has been generally accepted by the scientific community

Handling Evidence n n n No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer Preventing viruses from being introduced to a computer during the analysis process Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage

Handling Information n Information and data being sought after and collected in the investigation must be properly handled There are two types of information: Volatile Information n Network Information n n Active Processes n n Programs and daemons currently active on the system Logged-on Users n n Communication between system and the network Users/employees currently using system Open Files n Libraries in use; hidden files; Trojans (rootkit) loaded in system

Handling Information n Non-Volatile Information n This includes information, configuration settings, system files and registry settings that are available after reboot Accessed through drive mappings from system This information should be investigated and reviewed from a backup copy

Evidence Processing Guidelines n n The following 16 steps are recommended in processing evidence Some security firms offer training on properly handling each step n Step 1: Shut down the computer n n n Considerations must be given to volatile information Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) Step 2: Document the Hardware Configuration of The System n Note everything about the computer configuration prior to re-locating

Evidence Processing Guidelines (cont) n Step 3: Transport the Computer System to a Secure Location n Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks Step 5: Mathematically Authenticate Data on All Storage Devices n n Do not leave the computer unattended unless it is locked in a secure location Must be able to prove that you did not alter any of the evidence after the computer came into your possession Step 6: Document the System Date and Time Step 7: Make a List of Key Search Words Step 8: Evaluate the Windows Swap File

Evidence Processing Guidelines n Step 9: Evaluate File Slack n n n n File slack is a data storage area of which most computer users are unaware of; a source of significant security leakage. Step 10: Evaluate Unallocated Space (Erased Files) Step 11: Search Files, File Slack and Unallocated Space for Key Words Step 12: Document File Names, Dates and Times Step 13: Identify File, Program and Storage Anomalies Step 14: Evaluate Program Functionality Step 15: Document Your Findings Step 16: Retain Copies of Software Used

Anti-Forensics n n n Software that limits and/or corrupts evidence that could be collected by an investigator Performs data hiding and distortion Exploits limitations of known and used forensic tools Works both on Windows and LINUX based systems Might be used prior to or post system acquisition

Anti-Forensics (cont) n n To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. Steganography: The art of storing information in such a way that the existence of the information is hidden.

Steganography n n To human eyes, data usually contains known forms, like images, e-mail, sounds, and text. Most Internet data naturally includes gratuitous headers, too. These are media exploited using new controversial logical encodings: steganography and marking. The duck flies at midnight. Tame uncle Sam n Simple but effective when done well

Watermarking n Watermarking: Hiding data within data n n Information can be hidden in almost any file format. File formats with more room for compression are best n n n Image files (JPEG, GIF) Sound files (MP 3, WAV) Video files (MPG, AVI) The hidden information may be encrypted, but not necessarily Numerous software applications will do this for you: Many are freely available online

Methods of Hiding Data on Disk • Hard Drive/File System manipulation – Slack Space is the space between the logical end and the physical end of file and is called the file slack. The logical end of a file comes before the physical end of the cluster in which it is stored. The remaining bytes in the cluster are remnants of previous files or directories stored in that cluster. • Slack space can be accessed and written to directly using a hex editor. • This does not add any “used space” information to the drive

Methods of Hiding Data on Disk (cont) • Hard Drive/File System manipulation cont… – Hidden drive space is non-partitioned space inbetween partitions • The File Allocation Table (FAT) is modified to remove any reference to the non-partitioned space • The address of the sectors must be known in order to read/write information to them – Bad sectors occur when the OS attempts to read info from a sector unsuccessfully. After a (specified) # of unsuccessful tries, it copies (if possible) the information to another sector and marks (flags) the sector as bad so it is not read from/written to again • users can control the flagging of bad sectors • Flagged sectors can be read to /written from with direct reads and writes using a hex editor

Methods of Hiding Data on Disk (cont) • Hard Drive/File System manipulation cont… – Extra Tracks: most hard disks have more than the rated # of tracks to make up for flaws in manufacturing (to keep from being thrown away because failure to meet minimum #). • Usually not required or used, but with direct (hex editor) reads and writes, they can be used to hide/read data

Forensics Tools n Hardware Devices: n n Write Blocker Software Tools: n Imaging Software n n Creates an exact copy of the hard drive (a hash is used for checking) Called also bitstream copy Disk Deep Searching Software The forensics tool that is chosen must have been successfully used in court cases: n n Encase Forensic Toolkit (FTK)

Encase n n Encase is a computer forensics tool widely used by law enforcement agencies It allows: n n n Imaging Write Blocking Hash calculation Locating hidden drives and partitions Locating hidden files Multiple location searching

Encase

Forensic Toolkit (FTK) n Forensic Toolkit (FTK) allows to: n n n Create images of hard drives Analyze the registry Scan slack space for file fragments Inspect emails Identify steganography Crack passwords

Forensics Toolkit (FTK)

What is Network Forensics n Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. n n n Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. A network forensics appliance is a device that automates this process. Wireless forensics is the process of capturing information that moves over a wireless network and trying to make sense of it in some kind of forensics capacity.

What is Network Forensics? n Network forensics systems can be one of two kinds: n n "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

Network Forensics Challenges n Two attacks make network forensics more challenging: n IP Spoofing: Change the source IP address in the header to that of a different machine and thus avoid traceback: n n n Traceback by storing some data in the routers Traceback by adding some info in the packets. Stepping-Stone: The attack flow may travel through a chain of stepping stones (intermediate hosts) before it reaches the victim: n Time-based sampling and matching.

The end Reading: Vacca, Chapters 19, 20.