Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene Investigation! Legal aspects and considerations! Data preservation, acquisition and analysis Live incident response Data duplication Forensic analysis techniques! Applicability of computer forensics Defining the word forensic Introduction to Computer Forensics! American Heritage Dictionary definition of forensic: Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law.! Many methods use science and technology to investigate and establish facts.! Forensics are used when the results of the method should be valid in a court of law Defining Computer forensics! Corresponding definition for computer forensics would be: Relating to the use of computer science or technology in the investigation and establishment of facts or evidence regarding crimes committed with computers, or against computers, in a court of law. or The art and science of applying computer science to aid the legal process or The application of computer investigation and analysis techniques to determine potential legal evidence The Digital Investigation Thus, when computers are involved in the process of establishing facts that should be valid in a court of law, we denote this process as computer forensics 1
The digital investigation The digital investigation! However, not all investigations goes to court.. Corporate investigations Private investigations!..and therefore, all investigations are not computer forensics A better name for the investigation process is digital investigation, or digital crime scene investigation! A digital investigation takes place when a digiatal incident is reported and evidence needs to be found! Analogy to physical investigation: A physical investigation considers fibers, footprints, blood stains and fingerprints. A digital investigation considers text files, e-mail messages, log entries and alerts. The digital investigation: Targets The digital investigation: purpose The digital investigation regards: Crimes committed against computers:! Intrusions and break-ins and insider jobs by networked attackers Crimes committed with computers:! Communication between criminals engaged in murder, kidnapping, assault, extortion, drug dealing, espionage, terrorism, child pornography.! Its purpose is to provide information about: What happened When did events that led to the crime occur In what order did the events occur What was the cause of the events Who caused the events to occur What enabled the events to take place What was affected, how much was it affected The digital event The digital event A digital event is any activity or transition Interrupts, command invocations, process termination, network data transmission/reception! A digital event changes the state of one or more digital objects! A digital object is a discrete collection of digital data A file, a hard disk sector, a network packet, a process! The state of a digital objects is the collection of object characteristics File name, file content, MAC times A running process PCB, memory content! A digital event can be the cause of a data object, or the effect of a data object A process can create a file A file can be created by a process X Y Z E X X Y Z E 1 X W E 2 W Three cause objects, one effect object Event chain with two events 2
Digital evidence and incidents! Some systems have policies that forbid certain digital events! If one or more of the forbidden digital events occur anyway, the policy is violated, and an incident has occurred. Conducting a Digital Crime Scene Investigation! Digital evidence contains reliable information that supports or refutes a hypothesis about an incident! A data object is evidence of the forbidden event if the event changed the state of the object Digital crime scene investigation Investigation process: Preparations When an incident has occurred and we need to determine the whats, whens and whos of the incident. Preparation phase Preparation Pack your bags with equipment to perform the investigation System preservation Minimize amount of data that is changed/deleted Investigation phases Evidence search Determine what you are looking for, and where you expect to find it Event reconstruction Use evidence to determine what events occurred! Before entering the crime scene: Be sure to bring the necessary tools! Digital cameras, screwdrivers, flashlights, IDE-cables, SCSI cables.! Prepared forensic workstation, i.e., computer with a set of reliable tools. And the necessary forms for the investigation! Evidence worksheets, system worksheets, evidence labels, chain of custody forms! To be able to document your every step, which is necessary if the case comes to court and you are appointed as expert witness Investigation process: System preservation Investigation process: Evidence search! Preserve the crime scene to prevent it from changes that are introduced by: Investigation process Attacker, e.g., booby traps, deletion upon shutdown! Preservation depends on situation: 1. Non-critical assets, or legal use! Perform full disk duplication of suspect computer, i.e., copy entire content of disk(s) to backup disk 2. Semi-critical assets! Contain suspect computer, i.e., plug network cables into empty hubs, copy critical log data, kill suspect processes, enable system monitoring 3. Critical assets (no downtime allowed)! Perform live incident response, i.e., keep computer running, copy what you can, monitor Evidence Searching Phase 1: Phase 2: Target Definition Data Extraction and Interpretation Target Data Data Object Object Object Phase 4: Phase 3: Knowledge Update Data Comparison Target Target Data Object Object Object Overlaps with Event Reconstruction 3
Evidence search! Phase 1: Target Definition Define target for locating evidence Base target definition on either previous experience or previously found evidence.! Phase 2: Data Extraction and Interpretation Use the target to locate relevant data objects Conduct searches in ordered pattern! Use interpretation or abstraction layers, i.e., look at each file, each sector or each network packet. Evidence search! Phase 3: Data Comparison Compare extracted data to the target Matching data objects are considered as potential evidence! Phase 4: Knowledge Update Search the data objects for new targets Update general investigation knowledge Restart from Phase 1 with new target definitions Investigation process: Event reconstruction Investigation process: event reconstruction process Overlaps with Search Phase Evidence Examination Phase Event Reconstruction Phase Role Classification Phase Event Construction and Testing Phase Event Sequencing Phase Hypothesis Testing Phase Goal: To examine each piece of evidence and determine what events it was involved in so that we can determine which events occurred at the crime scene! Develop and test hypothesis about the events that an object was effect of and, when applicable, to determine what events it could have been a cause of.! Attempt to deduce the previous states by examining the events in which an object may have been involved! Question why an object has properties, where they could have come from, and when they were created Digital evidence and the law Legal aspects and considerations! Digital evidence may be used in a court of law! Evidence may support a physical witness, or be used stand-alone! The investigator may then be called as an expert witness to explain the relevance of the evidence! To be credible, the investigator need to show: That certain measures have been taken during investigation That no changes have been introduced to the crime scene during investigation 4
Guidelines for collecting digital evidence Collection procedure! There is no established check list for how to collect evidence for use in a court of law! However, there are guidelines: Are the theories and techniques employed during evidence collection tested; Do the techniques for evidence collection have a known error rate; Are the techniques subject to standards governing their application; Do the theories and techniques enjoy widespread acceptance.! Verify that no changes have been introduced to the crime scene during investigation Physical: Don t move furniture, reposition bodies or wash up stains. Isolate environment. Don t walk around in the area! Digital: Don t move files, run programs or remove data. Isolate computer. Don t walk around in the file system! Physical: Take photos, samples, wear gloves to not introduce new objects. Document your actions! Digital: Take snapshots of computer state, duplicate data, use write blockers. Document your actions! Expertise needed by investigator The investigator as expert witness Legal Procedures & Laws of evidence Investigative techniques Computer technology! The investigator as an expert witness in a court of law: Help judges and juries to understand e-evidence Raise doubt in or remove doubt from the minds of the jury Have knowledge to reconstruct or explain what happened without having observed it directly Is qualified by knowledge, skill, experience, training, or education Preservation, acquisition and analysis Live Incident Response -Live Incident Response -Forensic Duplications -Forensic Analysis Techniques 5
Live incident response Live incident response! Live incident response: When suspect computer is still running Collect all relevant data to confirm whether an incident has occurred Collect both volatile and non-volatile data! Volatile data disappears when computer is powered off Example: Process memory content! Non-volatile data can still be recovered after power off, but might be easier to read if captured with proper system tools. Example: Easier to read already formatted system logs than raw binary data.! Connect your prepared forensic workstation to the suspect computer Forensic workstation Suspect computer! Set up channel between the suspect and the workstation! Run commands to produce data, transfer data over the channel! Hash the data to protect its integrity Live incident response Volatile data! Volatile data: Disappears if power off System date and time Current network connections Open TCP or UDP ports and related processes Users currently logged on Running processes Open files Process memory dumps System memory dumps! System date and time Important to correlate time between suspect computers May reveal system and file timestamp tampering! Current network connections The attacker may still be connected to the suspect computer The attacker may use the suspect to brute force passwords on other computers! Open TCP and UDP ports and related processes Useful for filtering out commonly used ports from suspicious ports Useful for finding suspicious processes by observing name or path for the processes involved in connections Volatile data Volatile data! Users currently logged on Allows us to find out who is accessing the system exactly now May reveal attackers that are currently logged in and whose accounts they are using! Running processes Allows us to find suspicious processes currently running May reveal the name of certain binaries not normally existing on the system! Open files Allows us to see what files, pipes and sockets each running processes are using May reveal information regarding files that are accessed, and also their names! Process memory dumps Allows us to find cleartext passwords, unencrypted data and the command line used to execute the process! System memory dumps Allows us to find remnants of previous sessions and other intrusive processes 6
Non-volatile data Non-volatile data! Non-volatile data: Persistent after power off System version and patch level System event logs User accounts Web-server logs Suspicious files! System version and patch level Version and patch level implies what attacks the system is vulnerable against, i.e., the starting point for the investigation! System event logs Security logs, application logs and system logs Allows us to find relevant entries regarding security issues, or events that either applications or system finds notable! User accounts Listing the account list, allows us to see if any new accounts have been created by the attacker Non-volatile data! Web-server logs Type of application logs, but should be treated more carefully since webservers are highly exposed assets If attacks are automated, we can find this out from the timestamps of individual log items We can also find if the webserver executed commands on the host! Suspicious files Allows us to find more information regarding the attack Usually done unless a forensic duplication is done Forensic Duplications Forensic duplications Forensic duplications! A forensic duplication means to make a complete, byte-by-byte copy of the contents of a storage device! The goal is to transfer all data from the suspect system to the forensic copy without altering the suspect system in any way! Special devices that block writing operations to the suspect system is used! Commercial solutions: Commercial Hardware system The RoadMASSter 3 Forensics Data Acquisition and Analysis tool Related software, EnCase or Forensic Tool Kit 7
Forensic duplications Forensic duplications! Non-commercial solutions UNIX programs will do for creating copies Don t underestimate the power of the write blocker, especially if legal requirements Tools! Data Dump (dd) program performs byte copy from source to destination! dcfldd program copies data and produces hash on every copied 512-byte block! Differences between commercial and noncommercial duplications: Commercial software costs money, but provides nice interfaces and (hopefully) support, and is more credible in a court of law Commercial hardware costs money, but might be necessary in a court to assure that no changes have been done to evidence disk Forensic analysis techniques Forensic Analysis Techniques! Steps that are common for the majority of investigations, i.e., what you need to do Recovering deleted files Production of time stamps and other metadata for files Removing known files String searching and file fragments Recovering deleted files Production of time stamps and metadata! Different approaches for different operating systems and file systems The investigator needs good knowledge of how the file system is organized and how the operating system treats deleted data. Usually, the type of file system is provided to the tool. The tool then investigates the file system accordingly! Files exist in two shapes, logical and deleted Metadata: full file names, sizes, MAC times MD5 Used for file name searches, timeline analyses and reporting Common UNIX tools can do this for logical data. Specialized tools can do it also for deleted data 8
Removing known files String searching and file fragments! Limit the number of files that need to be considered! Remove the files that are considered as normal Compare the hash of every file in the file system to the hashes of a known good set of hashes! Collections of hashes exist! Remove matches! When searching for data, two situations may come up:! A data object, e.g., a file, is found Inspect the file directly with a suitable application Look for keywords that can forward the search! A keyword or string, e.g., b0mb is present Search the system for data objects containing the string Investigate the rest of the data object Application areas Application areas! Email tracing! Web browsing reconstruction! Intrusion analysis! Cell phone and PDA forensics! USB and Flash memory forensics! Static and dynamic binary analysis Conclusion! Computer forensics is the application of technology and science to establish facts in a court of law! A digital investigation preserves the crime scene, searches for evidence, and reconstructs events! A digital investigator needs to know computers, the legal system, and draw conclusions! Different approaches to the investigation is required depending on the situation, on one extreme, we have live response, on the other we have forensic duplication! Several techniques are available to reduce and to pinpoint the important objects! Forensics have many application areas, including PDA forensics and intrusion analysis 9