Computer Forensic Tools. Stefan Hager

Transcription

1 Computer Forensic Tools Stefan Hager

2 Overview Important policies for computer forensic tools Typical Workflow for analyzing evidence Categories of Tools Demo SS 2007 Advanced Computer Networks 2

3 Important policies for computer forensic tools evidence must not get compromised or contaminated during investigation disk imaging necessary ensure data integrity hashing (MD5, SHA-1...) digital evidence must be permitted during litigation adheres to the standards of evidence that are admissible in a court of law SS 2007 Advanced Computer Networks 3

4 Typical Workflow for analyzing evidence SS 2007 Advanced Computer Networks 4

5 Categories of Computer Forensic Tools Disk Imaging Memory Imaging Data and Disk Analysis Special OS Live Distributions Network Forensics SS 2007 Advanced Computer Networks 5

6 Disk Imaging Hardware imagers e.g. handhelds that clone source drives write blocker to protect data on source drive fast: up to 4GB/min (SCSI) usually no additional software necessary SS 2007 Advanced Computer Networks 6

7 Disk Imaging multiple interfaces supported e.g. IDE, SATA, PATA, SCSI, USB, Firewire, Flash Cards... SS 2007 Advanced Computer Networks 7

8 Disk Imaging Software imagers Unix-based imagers dd, dcfldd, AIR, rdd, sdd Windows-based imagers ProDiscovery (images FAT12,16,32 and NTFS) AccessData (read, aquire, decrypt, analyze) calculate hashes (MD5, SHA-1) checksumming SS 2007 Advanced Computer Networks 8

9 Memory Imaging making an image of physical memory linux: dd captures the contents of physical memory using device file /dev/mem windows: hibernation c:\hiberfil.sys SS 2007 Advanced Computer Networks 9

10 Data and Disk Analysis Tools Purpose: extract, manipulate, validate data Partition Recovery (e.g. gpart) recover deleted/corrupt partitions guess partition tables recover boot sector (e.g. fdisk /mbr restores boot code in MBR, but not the partition Data Evaluation and Recovery (e.g. autopsy) restore deleted/corrupt files RAID reconstruction (RAID level 0 - striping, level 5) Password Recovery / Breaking open files that are password protected SS 2007 Advanced Computer Networks 10

11 Data and Disk Analysis Tools Carving (e.g. foremost) search an input for files or other kinds of objects based on content recover files when directory entries missing/corrupt, deleted files, damaged media look for file headers and footers "carving out" blocks between these two boundaries usually executed on a disk image and not on the original disk SS 2007 Advanced Computer Networks 11

12 Data and Disk Analysis Tools Metadata Extraction extract Metadata from different file formats (Microsoft Office Documents, PDF, Binary files,...) MAC times (Modification, Access, Creation - UNIX) WAC times (Written, Accessed, Created WINDOWS) file type User ID, Group ID SS 2007 Advanced Computer Networks 12

13 Data and Disk Analysis Tools Evaluation of timelines (e.g. Zeitline) analyzing and evaluating data for event reconstruction sources: MAC times, WAC times, system logs, firewall logs, application data timelines consist of events (time spans) events belonging to the same action grouped together events can have sub- and superevents (hierarchy) SS 2007 Advanced Computer Networks 13

14 Data and Disk Analysis Tools Evaluation of timelines e.g. events: access program gcc access file x access library y grouped together to compile program x super event of this group could be install rootkit z SS 2007 Advanced Computer Networks 14

15 Special OS Live Distributions Free Distributions DEFT Linux (built upon Kubuntu) Helix (built upon Knoppix) Commerial Distributions SMART Linux (by ASR Data) MacQuisition Boot CD (for imaging Macintosh Systems) SS 2007 Advanced Computer Networks 15

16 Network forensics Network vulnerability scanners (e.g. NESSUS) based on security vulnerability database detects remote as well as local flaws Network protocol analyzers (e.g. wireshark, ethereal) many protocols supported Live Capture / Offline Analysis VoIP analysis SS 2007 Advanced Computer Networks 16

17 Network forensics Search for rootkits (e.g. chkrootkit) scripts for checking system binaries for rootkit information checks for signs of trojans checks whether the interface is in promiscuous mode SS 2007 Advanced Computer Networks 17

18 Demo SS 2007 Advanced Computer Networks 18

19 References Vacca, J. R.: Computer Forensics: Computer Crime Scene Investigation. Hingham, Mass.: Charles River Media Forensic_Tools SS 2007 Advanced Computer Networks 19

20 References ter_forensics _works.aspx SS 2007 Advanced Computer Networks 20

21 Tools esc.php /tct.html SS 2007 Advanced Computer Networks 21

22 Tools rensics/timeline.php /tct.html elix SS 2007 Advanced Computer Networks 22

23 Questions 1. Explain shortly 3 tasks of disk analysis tools (Slides 10-14) 2. What are important policies for computer forensic tools? (Slide 3) SS 2007 Advanced Computer Networks 23

24 Thank you for your attention! SS 2007 Advanced Computer Networks 24