OnScene Triage of Electronic Evidence OnScene Triage Identification

  • Slides: 187
Download presentation
On-Scene Triage of Electronic Evidence

On-Scene Triage of Electronic Evidence

On-Scene Triage • • Identification of electronic evidence Identifying wireless networks Capturing volatile data

On-Scene Triage • • Identification of electronic evidence Identifying wireless networks Capturing volatile data pt. 1 – RAM dumps Encryption On-scene imaging of electronic data Capturing volatile data pt. 2 – Router interrogation Seizure/transportation/storage

Identification of Electronic Evidence

Identification of Electronic Evidence

What is “electronic evidence”? • Items of interest in a criminal investigation which contain

What is “electronic evidence”? • Items of interest in a criminal investigation which contain evidence in the form of electronic data • • Computers External storage media Mobile devices Gaming devices Networking devices Navigation devices Etc.

Computers • Desktop • Laptop

Computers • Desktop • Laptop

Desktop computers

Desktop computers

i. Mac all-in-one

i. Mac all-in-one

All-in-one PCs

All-in-one PCs

Mac Mini

Mac Mini

Laptop PC

Laptop PC

Mac. Book laptop

Mac. Book laptop

Netbooks

Netbooks

Internal hard drives

Internal hard drives

IDE vs. SATA

IDE vs. SATA

Internal drive dock

Internal drive dock

External Drives

External Drives

Multi-drive externals

Multi-drive externals

Other externals

Other externals

Network Attached Storage (NAS)

Network Attached Storage (NAS)

USB flash media

USB flash media

Some “different” ones

Some “different” ones

Would you seize this?

Would you seize this?

These, however, are not storage devices

These, however, are not storage devices

Media • Floppy Disk/Zip/Jaz/Super. Disk • CD/DVD • Flash media cards

Media • Floppy Disk/Zip/Jaz/Super. Disk • CD/DVD • Flash media cards

Floppy Disks

Floppy Disks

Zip disks

Zip disks

Jaz drives

Jaz drives

Super. Disk

Super. Disk

CD/DVD

CD/DVD

Do we need to seize these? How About this?

Do we need to seize these? How About this?

Flash media cards

Flash media cards

Let’s say I’m serving a search warrant for files such as documents, spreadsheets, etc.

Let’s say I’m serving a search warrant for files such as documents, spreadsheets, etc. Is this something I should be interested in?

Mobile devices • Cell phones • Tablets • PDAs

Mobile devices • Cell phones • Tablets • PDAs

Cell Phones

Cell Phones

Smartphones

Smartphones

And what do a lot of phones have in them?

And what do a lot of phones have in them?

Tablets

Tablets

PDAs

PDAs

Gaming devices

Gaming devices

Media players

Media players

Networking devices

Networking devices

GPS

GPS

Printers/Copiers

Printers/Copiers

Accessories/Supplemental Devices • Chargers • Manuals • Software

Accessories/Supplemental Devices • Chargers • Manuals • Software

Do I need to take everything? • Short answer: yes • Longer answer: maybe

Do I need to take everything? • Short answer: yes • Longer answer: maybe not

Why should I take everything? • You may need to recreate the suspect’s system,

Why should I take everything? • You may need to recreate the suspect’s system, for court or analysis • Forfeiture • To make it more difficult for him to continue/renew criminal activity • Some devices may be specialized and/or rare/obsolete; your examiner may be unable to complete exam without them

Why should I not take everything? • Much of it will not be useful

Why should I not take everything? • Much of it will not be useful in your investigation • You may just end up returning it later • It will fill up your evidence room and really annoy your evidence custodian

A word of caution: • We cannot seize computers, etc. , from a business

A word of caution: • We cannot seize computers, etc. , from a business or an individual that needs that equipment for employment or business activity, and not provide the business or individual access to the (non-contraband) data he needs.

Additionally: • We cannot seize data that is “work product” from journalists, authors, artists,

Additionally: • We cannot seize data that is “work product” from journalists, authors, artists, etc. , and not give them access to the (noncontraband) data.

So we’ve got a warrant, and we know what electronic evidence looks like. Now

So we’ve got a warrant, and we know what electronic evidence looks like. Now what? First, some general guidelines/principles to be aware of…

 • At the scene officer safety is the number one priority. Make sure

• At the scene officer safety is the number one priority. Make sure you have enough manpower to secure the scene. If your bad guy isn’t home, don’t cut everyone loose while you search the house. Remember, some of the crimes we are talking about will result in these people going to jail for a long, long time; they may act foolishly.

 • Also with regard to officer safety, be aware of what brought you

• Also with regard to officer safety, be aware of what brought you there. A lot of computer evidence relates to crimes such as child porn. Do not touch the keyboard without gloves. Don’t take home something you don’t want.

 • Do not let the suspect, witness or anyone else access the devices

• Do not let the suspect, witness or anyone else access the devices (for example, to enter a password for you, or show you where a file is located) • This includes you; don’t sit down at the keyboard and “look around”

 • Be aware that it is not always possible for items to be

• Be aware that it is not always possible for items to be seized and removed from the scene for examination.

 • If things look really complicated, or something about the situation makes you

• If things look really complicated, or something about the situation makes you nervous, call for help. Electronic evidence that is seized incorrectly can be lost forever. There is no shame in asking for help from a specialist. Trust your instincts.

 • Get a good interview with the bad guy while you are at

• Get a good interview with the bad guy while you are at the scene. He may be willing to tell you things that will help you. • Encryption keys • Locations of files • Confession

Can I just shut it down? • NOT YET!! • • • We need

Can I just shut it down? • NOT YET!! • • • We need to document what is going on We need to determine if data is encrypted We need to determine if any volatile data needs captured

 • Once the scene is secured, before we start fiddling around with the

• Once the scene is secured, before we start fiddling around with the evidence, take photographs to document everything.

Documentation • Why do we care what the computer is doing when we arrive?

Documentation • Why do we care what the computer is doing when we arrive? • Chatting • Downloading • Opened files which may not be saved • System date and time

What happens to this unsaved document if I just yank the plug? Is there

What happens to this unsaved document if I just yank the plug? Is there any way to preserve this evidence?

 • We can testify to the jury about what was going on when

• We can testify to the jury about what was going on when we arrived, and what we subsequently discovered during the examination, but a picture has a lot more impact with them. • Document, document

Before we get started… • One of the tools we are going to use

Before we get started… • One of the tools we are going to use in a lot of the following procedures is FTK Imager Lite • Let’s get it set up

First, let’s prepare our media • Most thumb drives will be formatted with a

First, let’s prepare our media • Most thumb drives will be formatted with a FAT file system by default. THIS WILL NOT WORK ON NEWER SYSTEMS! • 4 GB file size limit • How do we change that?

 • So let’s re-format it with an NTFS file system, which will handle

• So let’s re-format it with an NTFS file system, which will handle files larger than 4 GB.

FTK Imager Lite • Free download • We want the “Lite” version

FTK Imager Lite • Free download • We want the “Lite” version

FTK Imager Lite • The download is a. zip file • Unzip it to

FTK Imager Lite • The download is a. zip file • Unzip it to your thumb drive/external drive • Create a folder on the drive to direct your output to

 • We’ll talk about the other tools as we go along

• We’ll talk about the other tools as we go along

Identifying Wireless Networks

Identifying Wireless Networks

Identifying wireless networks • Why do we need to? • Do we need a

Identifying wireless networks • Why do we need to? • Do we need a specialized device?

 • Note: prior to using the following techniques, you need to “sterilize” your

• Note: prior to using the following techniques, you need to “sterilize” your equipment by forgetting all the stored networks, so that the device will not automatically connect to the router if it recognizes its SSID.

 • Using your laptop’s wifi utility, locate the suspect network – it will

• Using your laptop’s wifi utility, locate the suspect network – it will give the name, and indicate whether or not it is secured

 • You can also use the wifi utility in your phone or tablet,

• You can also use the wifi utility in your phone or tablet, if so equipped

 • There also mobile apps which will give us info about the wireless

• There also mobile apps which will give us info about the wireless network to which the device is connected

 • Things change quickly in the world of computer technology • We must

• Things change quickly in the world of computer technology • We must be willing to adjust our methods accordingly

Encryption

Encryption

Encryption • Encryption vs. password • Can we access the encrypted data?

Encryption • Encryption vs. password • Can we access the encrypted data?

Encryption • Quality encryption is readily available to non-geeks • Bit. Locker • EFS

Encryption • Quality encryption is readily available to non-geeks • Bit. Locker • EFS • True. Crypt • Free* • User friendly

 • What can we, as examiners do with files or disks that are

• What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?

 • What can we, as examiners do with files or disks that are

• What can we, as examiners do with files or disks that are encrypted, if we don’t know the key? - NOTHING

Some common types of encryption • Full disk encryption – entire physical or logical

Some common types of encryption • Full disk encryption – entire physical or logical disk • • Can be software or hardware based Files or systems in use are not protected Files at rest are protected Protects against situations like laptop theft, etc. • PGP, Bit. Locker, File. Vault, some hard drives

Some common types of encryption • Filesystem-level encryption – Individual files or folders are

Some common types of encryption • Filesystem-level encryption – Individual files or folders are encrypted • Can add further security to a fully encrypted disk • Metadata, such as file names, sizes, timestamps, and directory structure are not encrypted • EFS is a filesystem-level encryption

Bit. Locker • Bit. Locker is included in the Ultimate and Enterprise versions of

Bit. Locker • Bit. Locker is included in the Ultimate and Enterprise versions of Vista, 7 and 8 • Bit. Locker is full disk encryption

Bit. Locker

Bit. Locker

Here’s how a Bit. Locker encrypted drive appears in Windows Explorer

Here’s how a Bit. Locker encrypted drive appears in Windows Explorer

 • Some versions of Windows also allow us to encrypt files or folders

• Some versions of Windows also allow us to encrypt files or folders using EFS (encrypting file system) • Drive must be formatted NTFS (most thumb drives are not)

Now the encrypted files and folders will be green in Windows Explorer

Now the encrypted files and folders will be green in Windows Explorer

True. Crypt • True. Crypt WAS a free on-the-fly encryption utility which could be

True. Crypt • True. Crypt WAS a free on-the-fly encryption utility which could be used to encrypt an entire physical or logical disk, or to create an encrypted container • As of May 28, 2014, True. Crypt is no longer supported or maintained, and advised its users find other solutions

Does this mean we will no longer encounter True. Crypt?

Does this mean we will no longer encounter True. Crypt?

True. Crypt • Using True. Crypt, we can either encrypt the whole drive, or

True. Crypt • Using True. Crypt, we can either encrypt the whole drive, or we can create an “encrypted container” • We select how large we want the container to be, and what the encryption key will be

Here is an attempt to open a previously created encrypted True. Crypt container; note

Here is an attempt to open a previously created encrypted True. Crypt container; note that the OS doesn’t know what to do with it.

Now, we assign a vacant drive letter to the soon-to-be decrypted container, direct True.

Now, we assign a vacant drive letter to the soon-to-be decrypted container, direct True. Crypt to the container we had previously created, and tell it to mount the container…

True. Crypt prompts us to enter the encryption key.

True. Crypt prompts us to enter the encryption key.

And True. Crypt decrypts and mounts the container, making it available to us.

And True. Crypt decrypts and mounts the container, making it available to us.

And we can now access the decrypted contents.

And we can now access the decrypted contents.

 • So, if we encounter a computer and are aware that True. Crypt

• So, if we encounter a computer and are aware that True. Crypt is running… …it behooves us to secure that encrypted data prior to shutdown (we’ll discuss how shortly).

 • So, now that we’re sufficiently convinced that our bad guy has convenient

• So, now that we’re sufficiently convinced that our bad guy has convenient choices for encrypting his stuff, what do we do?

Encryption detection • Tools are available which will assist us in detecting if encryption

Encryption detection • Tools are available which will assist us in detecting if encryption is present • FTK Imager Lite • os. Triage • Crypt. Hunter • None are perfect (but, on the positive side, all are free!)

Before we start… • In order to run these tools, we have to insert

Before we start… • In order to run these tools, we have to insert a thumb drive into a running suspect system • Are we changing data? • Is this a problem?

 • We add our evidence item • And then check for encryption

• We add our evidence item • And then check for encryption

Here is FTK Imager looking at the thumb drive containing the EFS encrypted files

Here is FTK Imager looking at the thumb drive containing the EFS encrypted files

If we drill down to the files on the drive, we see the key

If we drill down to the files on the drive, we see the key icon next to them, indicating that they are EFS encrypted

 • Great; problem solved, Right? …not so fast.

• Great; problem solved, Right? …not so fast.

Here are our other two thumb drives, one encrypted with Bit. Locker and one

Here are our other two thumb drives, one encrypted with Bit. Locker and one encrypted with True. Crypt

 • FTK Imager only detects EFS encryption • Is that good enough?

• FTK Imager only detects EFS encryption • Is that good enough?

Let’s try it with os. Triage

Let’s try it with os. Triage

2 out of 3

2 out of 3

 • “os. Triage currently detects True. Crypt, Best. Crypt, PGP, and Bitlocker” •

• “os. Triage currently detects True. Crypt, Best. Crypt, PGP, and Bitlocker” • os. Triage Manual

Those same three drives as seen by Crypt. Hunter

Those same three drives as seen by Crypt. Hunter

What’s the moral of the story? • None of the tools are perfect •

What’s the moral of the story? • None of the tools are perfect • You may need to use more than one • You need to evaluate your suspect and your scene, and don’t rely solely on the tools

Capturing Volatile Data pt. 1 RAM Dumps

Capturing Volatile Data pt. 1 RAM Dumps

Volatile Data • What exactly are we talking about? • Memory that will lose

Volatile Data • What exactly are we talking about? • Memory that will lose its contents if power is removed • RAM • Router memory

RAM – Random Access Memory • Data can be written and read in the

RAM – Random Access Memory • Data can be written and read in the same amount of time regardless of what order the data is stored in • By contrast, with direct access memory (hard drives, CDs, etc. ) data read and write speeds depend on physical location of the data on the medium

 • RAM is memory available to the operating system and programs for processing

• RAM is memory available to the operating system and programs for processing and functioning, not storage

What is a pagefile? • In most systems, a portion of the computer’s hard

What is a pagefile? • In most systems, a portion of the computer’s hard drive space is set aside as “virtual RAM” to extend the RAM capacity of the system • Results in additional (although slower) RAM; data is swapped back and forth from this pagefile (also called a swap file sometimes) to the RAM

RAM – Random Access Memory • Data is stored as electrical impulses which disappear

RAM – Random Access Memory • Data is stored as electrical impulses which disappear when power is removed • Everything present must, therefore, have been created since the computer was turned on

 • Remember, this is memory that will lose its contents if power is

• Remember, this is memory that will lose its contents if power is removed • We can’t seize these items and take them back to our office and examine it there – it must be done on-scene, or it’s gone forever

Things to remember • You can’t put 8 GB of RAM on a 4

Things to remember • You can’t put 8 GB of RAM on a 4 GB thumb drive (or an 8 GB thumb drive, for that matter) • This is called a memory “dump” for a reason • You are making changes to the system

FTK Imager Lite

FTK Imager Lite

Select the Browse button

Select the Browse button

Direct it to a prepared folder on your thumb drive

Direct it to a prepared folder on your thumb drive

Rename it And don’t forget to capture the pagefile, too

Rename it And don’t forget to capture the pagefile, too

Capture Memory

Capture Memory

…and wait

…and wait

Until you see:

Until you see:

Hit the close button:

Hit the close button:

In your “Acquired Data” folder

In your “Acquired Data” folder

Now? • We examine the dump using a forensic tool, such as En. Case

Now? • We examine the dump using a forensic tool, such as En. Case or FTK • Let’s take a look at some things we found in a sample RAM dump…

 • First, let’s look at what I did before I dumped the RAM…

• First, let’s look at what I did before I dumped the RAM…

I mounted a True. Crypt volume…

I mounted a True. Crypt volume…

I did a search for tips on poisoning my wife…

I did a search for tips on poisoning my wife…

And I typed a note to a friend…

And I typed a note to a friend…

 • Can we find any sign of these activities in our RAM dump?

• Can we find any sign of these activities in our RAM dump?

Loaded into En. Case…

Loaded into En. Case…

How about our True. Crypt key? • In plain text! (and it actually appears

How about our True. Crypt key? • In plain text! (and it actually appears four times in the dump)

Our threatening note (that was never saved)

Our threatening note (that was never saved)

Our Google Search

Our Google Search

 • Lots of good data may be available to us in the RAM

• Lots of good data may be available to us in the RAM dump • We can’t seize it and examine it later

On-Scene Imaging

On-Scene Imaging

On-scene Forensic Imaging • First, what is a forensic image? • What tools do

On-scene Forensic Imaging • First, what is a forensic image? • What tools do we use to create them? • And in what situations would we need to create them onscene?

FTK Imager Lite • There are several tools which can create images of different

FTK Imager Lite • There are several tools which can create images of different format • FTK Imager Lite is the one we recommend • Industry standard from industry leader Access Data • Fast, reliable • FREE!

FTK Imager Lite • Some considerations… • • • How big is the source

FTK Imager Lite • Some considerations… • • • How big is the source drive? How big is the target drive? How much time do you have?

Here is the icon for creating an image…

Here is the icon for creating an image…

FTK Imager Lite • In most situations, we are going to be creating images

FTK Imager Lite • In most situations, we are going to be creating images of physical drives

FTK Imager Lite • Now, we select the drive we are going to create

FTK Imager Lite • Now, we select the drive we are going to create an image of • What’s that second listed drive?

What do these mean?

What do these mean?

Very Important

Very Important

 • And then turn it loose… • …and wait

• And then turn it loose… • …and wait

FTK Imager Lite • What are we going to do with the resulting image?

FTK Imager Lite • What are we going to do with the resulting image? • Examining the image is a more advanced, complex, and time-consuming procedure • But we have preserved the evidence, and made sure that it is available to our examiner

Capturing Volatile Data pt. 2 Router Interrogation

Capturing Volatile Data pt. 2 Router Interrogation

Router Interrogation • This is a brief overview of the process of router interrogation,

Router Interrogation • This is a brief overview of the process of router interrogation, not a detailed tutorial • Before trying this at a scene, seek further training, and practice, practice

How do we connect to the router? • First, disconnect the router from the

How do we connect to the router? • First, disconnect the router from the internet (i. e. , “the outside world”)

How do we access a router? • First, we need to attach our laptop

How do we access a router? • First, we need to attach our laptop to the router via one of the LAN ports • Then, we need to know the IP address and username/password for the router • This is not the internet username and password

Why don’t we connect wirelessly? • So we can say for sure we connected

Why don’t we connect wirelessly? • So we can say for sure we connected to the correct device – what if there are several wifi networks in range? • We need a password to connect to a secured network via wifi, but not via direct physical connection

Now, we type the IP address into a web browser, and enter the username/password.

Now, we type the IP address into a web browser, and enter the username/password.

Router Log

Router Log

DHCP Client List

DHCP Client List

 • Did we make any changes to the data contained in this router?

• Did we make any changes to the data contained in this router? • Entry in DHCP client list for our machine • Entry in log for administrative access • Did we just screw up our case?

 • There is a lot of other interesting information contained in the router

• There is a lot of other interesting information contained in the router – security settings, date/time, filtering data, etc. – that may be valuable to your investigation • If this is something that interests you, get more training, and practice

Seizing Electronic Evidence

Seizing Electronic Evidence

Operating system • The method we will use to shut down the computer will

Operating system • The method we will use to shut down the computer will be determined by the operating system • Windows (server? ) • Linux • Mac OS

 • If the computer is turned off, leave it off • If the

• If the computer is turned off, leave it off • If the computer is on, but the screen is blank, move the mouse to wake it up

How can you tell what the OS is? • Most of us are familiar

How can you tell what the OS is? • Most of us are familiar with the general look of a Windows machine

What does Linux look like?

What does Linux look like?

How about Mac OS?

How about Mac OS?

Windows • If it is a Windows machine, and is not Windows Server, pull

Windows • If it is a Windows machine, and is not Windows Server, pull the plug from the back of the machine. • Why not the wall? • How about a laptop?

Windows Server • If it is Windows Server, turn the computer off using the

Windows Server • If it is Windows Server, turn the computer off using the appropriate commands.

Linux • Turn the computer off using appropriate commands.

Linux • Turn the computer off using appropriate commands.

Mac OS • Turn the computer off using appropriate commands.

Mac OS • Turn the computer off using appropriate commands.

 • Once it’s off, label the cords as you remove them from the

• Once it’s off, label the cords as you remove them from the back of the machine, and label the ports to which those cords are attached.

Mobile devices – isolate? • Why would we want to isolate a mobile device

Mobile devices – isolate? • Why would we want to isolate a mobile device from the network? • Prevent changes to the data • Protect evidence • Ensure we are in compliance with our warrant

 • Why would we not want to isolate a mobile device from the

• Why would we not want to isolate a mobile device from the network? • Prevent device from locking us out • Prevent rapid battery drain

Low-tech options • Remove the battery? • Pros: easy, cheap and takes no skill

Low-tech options • Remove the battery? • Pros: easy, cheap and takes no skill • Cons: Some batteries can’t be removed (i. Phone) and it may also activate the PIN. • Airplane mode? • Pros: cheap, and effective • Cons: You are changing data. Can you successfully turn on airplane mode without accidentally screwing something up? Does airplane mode disable wifi access?

Other options • • • Faraday bags Foil Signal jammers?

Other options • • • Faraday bags Foil Signal jammers?

I am not going to tell you how you should do it. The bottom

I am not going to tell you how you should do it. The bottom line is that you should develop an SOP and stick to it… …and don’t be afraid to break it (as long as you can explain why you did).

Now it’s off; what do we do with it? • Transport it in the

Now it’s off; what do we do with it? • Transport it in the car like a person; put a seatbelt on it • Keep it in the position in which it was found

 • Keep it away from: • • Heat Cold Water Magnetic fields

• Keep it away from: • • Heat Cold Water Magnetic fields

Once it’s back at your station: • Package it in two containers: • Items

Once it’s back at your station: • Package it in two containers: • Items that will be examined • • Computers Mobile devices Media External devices • Items that will not be examined • • Monitors Keyboards Mice Speakers

Accurately label the items • Make, model, serial number • Do cell phones have

Accurately label the items • Make, model, serial number • Do cell phones have serial numbers? • MEID/ESN • IMEI • Do Dell computers have serial numbers? • Service tag

Some final thoughts… • • • Evidence that is not seized cannot be examined

Some final thoughts… • • • Evidence that is not seized cannot be examined Don’t be afraid to make (justifiable) changes to the data Don’t be afraid to ask for help or advice • Most importantly, be careful