Using Computer Forensics in your Investigations

Deloitte Financial Advisory Services LLP Using Computer Forensics in your Investigations Presented to: ISACA Los Angeles Chapter Dave Nardoni January 12 th, 2010

Agenda Introduction Analytic & Forensic Technology Dave Nardoni Dave Nardoni Q & A 1

Who are we? Analytic & Forensic Technology (AFT) group Experienced team of analytic and forensic professionals Computer forensics labs throughout the US Access to labs throughout the globe within the Deloitte Touche Tohmatsu member firms and their affiliates 2

AFT International group 9 Labs in the US 16 International Labs Approximately 250 professionals in the U.S. Federal government Law enforcement Information technologists Business development Unique background and experience Certified Public Accountants, Certified Fraud Examiners, statisticians, online and Internet research professionals and computer forensic specialists Former senior law enforcement officials and agents from the FBI, Justice Department and other government agencies Former prosecutors, MBA s, JD 3

Where does the trash go? Recycle bin Unallocated space Swap file and Memory/RAM Slack space 4

Problems with deleted files Physical disk failure Software failure Deleted files, missing metadata How to really delete data? 5

How do files get deleted? User deleted Recycle bin Proof of deletion Unallocated space C\RECYCLER\S-1-5-21-651992428-3394316985-1616483159-1004\INFO2 Index Date Deleted path 1 06/30/06 12:05:09PM C:\Documents and Settings\dnardoni\My Documents\Secret\Stock Options\Stock Options Grants.doc 6

How do files get deleted? Computer deleted Unallocated space Time is of the essence! 7

The clock is ticking Success is partially predicated on time that elapses between when the incident happens and when the data is preserved Electronic evidence is latent (similar to a fingerprint) Startup and shutdown (creates and deletes files) Temporary internet files 8

Deleted Files A Forensic Practitioner s Point of View 9

Logical View 10

Forensic View of Logical Files 11

Deleted Files 12

Recovered Deleted Files What can we say about these files that were previously deleted? When were they deleted? Who deleted them? 13

Forensic View of Deleted Files 14

File carving Looking for file signatures JPG file Picture File Signature: Unique bytes at the beginning of a file that identify the file. These bytes constitute a signature for the file. The first 4 bytes of the JPG file are ÿøÿà or FF D8 FF E0 15

Recovering data File carving 16

Recovering data Keyword searches Keyword search of the word hacking 17

Understanding the swap file Memory/RAM = Desk Swap/Page file = File cabinet Swap file often > RAM 18

Reviewing the file cabinet pagefile.sys We are looking for evidence of the custodian searching for how to use PDA as a modem. Here is what we found in the pagefile.sys I've mentioned to a couple of people that the BB can be used as a modem. Here is info on how to configure your BB as a modem so you can get your laptop online anywhere you have a cell signal: http://www.blackberryforums.com/blackberry-guides/2019-user-howto-use-blackberry-modemlaptop.html?highlight=blackberry+modem Also useful is Google Maps for your BB: ùÿôýcom/blackberry-guides/2019-user-howto-use-blackberry-modemlaptop.html?highlight=blackberry+modem x @ rdoni, David (US Los Angeles)0 19

Slack space Collection of empty VHS tapes 20

Slack space (continued) One program on a tape but program may use several tapes 24 News Sopranos Sopranos Continued NBA Finals 21

Slack space (continued) Collection of half hour video tapes CSI The UNIT 60 Min Remains of Sopranos Myth Busters More Remains of Sopranos 24 Episode two Remains of NBA Finals 22

Preservation Considerations When to Ghost? Major differences between a ghost image and a forensic image bit-stream versus logical file copy Larger drives = more free space More usage = less chance of recovery 23

Metadata - What it isn t Metadata Who, What, When, Where Why do I care? Inadvertent disclosure What s available How can it be used 24

Types of Metadata Application System 25

Application Metadata Microsoft Word Novell WordPerfect Microsoft Excel Microsoft Outlook Adobe Acrobat Portable Document Format (PDF) Exchangeable Image File Format (EXIF) 26

Hidden data in MS Word 27

Hidden data in MS Word 28

Hidden data in MS Word 29

Metadata Report Analyzing hiddent data sample from Deloitte Letter Template.doc Document Name: hidden data sample from Deloitte Letter Template.doc Path: C:\Documents and Settings\tcastrejon\My Documents\MetaData Deck Document Format: Word Document Built-in document properties: Built-in Properties Containing Metadata: 2 Title: Deloitte Letter.dot Comments: Deloitte Word Template v2004.1 08/22/2004 Document Statistics: Document Statistics Containing Metadata: 6 Creation Date: 7/18/2006 11:16:00 PM Last Save Time: 7/18/2006 11:29:00 PM Time Last Printed: 5/1/2002 4:04:00 PM Last Saved By: Deloitte & Touche Revision Number: 5 Total Edit Time (Minutes): 13 Minutes Custom document properties: No Custom Document Properties Last 10 authors: NOT PROCESSED Attached Template (Convert to Normal): Attached Template: C:\Program Files\Microsoft Office\Templates\Deloitte\Deloitte Letter.dot Routing slip: No Routing Slip Versions: No Versions Track Changes: Tracked Changes: 5. Tracked Changes are On. 1 Type: Delete Author: Deloitte & Touche 30

Metadata Report cont, 4 Type: Paragraph Number Author: Deloitte & Touche allows you to see how the document would look if you accepted all changes. Showing Markup shows deleted text in balloons in the margin of the document, while inserted text and formatting changes are shown inline. shows the original, unchanged document so that you can see how the document would look if you rejected all changes. Showing Markup shows the inserted text and formatting changes in balloons, while the deleted text remains inline. [Carriage Return] Location: Main Text 5 Type: Delete Author: Deloitte & Touche Final allows you to see how the document would look if you accepted all changes. Showing Markup shows deleted text in balloons in the margin of the document, while inserted text and formatting changes are shown inline. shows the original, unchanged document so that you can see how the document would look if you rejected all changes. Showing Markup shows the inserted text and formatting changes in balloons, while the deleted text remains inline. Location: Main Text Fast Saves: Fast Saves is Off Hidden text: Blocks of Hidden Text: 1 HiddenText 1 Text: Hidden text within a Word doc. While this technique is uncommon, it is mentioned to raise awareness that it does exist. Location: Main Text Comments: Comments: 1 Comment 1 Author: Deloitte & Touche Comment: This picture is cool. Location: Main Text Graphics: NoObjects to be converted to Pictures 31

Outlook 32

Outlook Metadata From: To: Subject: deleted J Castrejon, Tomas (US - San Francisco) </O=DELOITTE/OU=US/CN=RECIPIENTS/CN=TCASTREJON> FTP and Password Info Created: 06/13/06 12:55:20 Sent: 06/13/06 12:55:09 Header: Microsoft Mail Internet Headers Version 2.0 Received: from usndc0480.us.deloitte.com ([10.28.30.180]) by uscnt0413.us.deloitte.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 13 Jun 2006 14:55:20-0500 Received: from atl1.deloitte.com ([10.28.30.11]) by usndc0480.us.deloitte.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 13 Jun 2006 15:55:19-0400 Return-Path: <southwestcfce@gmail.com> Received: from nmp3.deloitte.com ([10.28.230.102] [10.28.230.102]) by atl1.deloitte.com with ESMTP for tcastrejon@deloitte.com; Tue, 13 Jun 2006 19:55:19 Z Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.228]) by nmp3.deloitte.com with ESMTP for tcastrejon@deloitte.com; Tue, 13 Jun 2006 19:55:19 Z Received: by wr-out-0506.google.com with SMTP id i31so878769wra for <tcastrejon@deloitte.com>; Tue, 13 Jun 2006 12:55:19-0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; 33

Outlook Metadata 34

PDF 35

PDF Metadata 36

EXIF 37

EXIF Metadata 38

System Metadata 39

Issues to avoid Don t Snoop Locard s principal Don t try to hide images (Examples) Don t shrink images or fonts (Examples) Don t use same color text as background (Examples) 40

Ways to minimize exposure Change default settings Word PDF 41

Minimize exposure, cont. PDF Settings 42

Removing metadata Use a meta data scrubbing tool Save original, remove sensitive data, copy out, PDF Microsoft Metadata Office removal tool http://www.microsoft.com/downloads/details.aspx?familyid=144e54ed-d43e- 42ca-bc7b-5446d34e5360&displaylang=en Metadata Assistant http://www.payneconsulting.com/products/metadataretail 43

Using it to your advantage Identify potential metadata Email, Office files, system What is relevant Example (PDF version and producer) Preservation Example (NTFS v. CD) Presentation Native format needed? 44

Questions?

Contact Information Deloitte Financial Advisory Services LLP 350 South Grand Ave Los Angeles, CA 90071 USA David Nardoni, EnCE, CISSP Senior Manager Tel: (213) 996-5927 Analytic & Forensic Technology Cell: (626) 840-8952 Fax: (213) 694-5916 dnardoni@deloitte.com www.deloitte.com 46

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas audit, tax, consulting, and financial advisory services and serves more than 80 percent of the world s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names. In the United States, Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP, and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nation s leading professional services firms, providing audit, tax, consulting, and financial advisory services through nearly 40,000 people in more than 90 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the U.S. member firm s Web site at www.deloitte.com