Andreas KaltsounisSherry Johnson

Computer Forensics, Crime & InvestigatorsOctober 6, 2010

2010 Organization of Bar Investigators Conference

Trends in Computer Usage & Crime

• Computer Usage

Email, Text-Messaging

PDAs and Smartphones

Social Networking

• Computer Crime

Botnets

Computer Intrusions & Corporate Espionage

What we Can Do

• Define HOW propriety data was stolen, and HOW MUCH of it was stolen

• Detect the alteration of documents, images, or other files

• Track internet usage and web activity

• Create a timeline of user activity on a system

• Recover emails and other files that have been “deleted”

• Document unauthorized access to systems or servers (intrusions)

• Identify the use of anti-forensics (cleaning utilities)

What we Can’t Do

• Recover information if it has been truly deleted (that is, overwritten)

• Tell you with certainty WHO was using a computer

• Conduct an examination without access to the drive, or on a physically damaged drive

Digital ForensicsWhat types of investigations can Digital Forensics support?

• Thumb (Jump) Drives

• CD/DVD Forensics

• Camera Forensics

• Copier Hard Drives

• Cell Phone Forensics

Call Detail Records

Text Messages

GPS & Tower Location Data

• Forensic Examinations

What is Digital (Computer) Forensics

Need to Substantiate:

• What was being done on the computer / device

• When it was being done

• Who (user account) was doing it

Forensic Evidence – Where to Start

What type of information can you get from Digital Forensic analysis?• Could be as little as 4 words carved from a deleted file

• Or a part of a picture carved from unallocated space

Forensics 101 – Don’t Take Actions That will Change the Evidence

• What not to do Allow anyone to “look around”, open, close, move, or copy Hitting a key could trigger an undesired change Not always best to pull the plug and turn the system off

• What to do Have a forensic expert with you or someone you can call Document all actions taken If system is on have it checked for encryption Make decisions as to the best way to take the image

[There are several forensically acceptable ways to take an image of a live

system, but the actions need to be well documented.]

Tying Evidence to:• Who • What• When• How• (Why)• (Where)

Tying Evidence to: WhoWho has been using this system?

SAM Registry File

Last Logon Time may not be useful if the system has been left on for days

Tying Evidence to: Who Which user was the last one to use the

system?

• Compare Time/Date of all user NTUSER.DAT

files• Compare last used NTUSER file to SYSTEM file

Last Access Time/Date

Tying Evidence to: WhoWhat can be used to establish connection to

suspect?

• Non-Digital Forensics: Phone records Door cards Video monitors Witnesses

• Check Log Files Applications used by suspect Chat file logs

Tying Evidence to: Who Chat Logs

Tying Evidence to: Who Is there a QUICK way check across suspect related

files?• Filter on User SID• Review All Files• Sort by Last Access

Tying Evidence to: WhoHow to DEBUNK the Malware / Virus

defense?“I didn’t do it…Malware, Viruses or hackers did it”

• Establish multiple indicators of Who was on the computer and When

• Prove Malware / Virus is not on the system• Prove Malware / Virus found is designed to do…..and

would not have created this body of evidence of wrong doing

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• gmail Password & Time / Date Last Used (Written)

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Google User ID & Password• Time / Date Used

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Documents Most Recently Used & Time / Date(Open and/or Saved)

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Recent Documents Used & Time / Date:

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Internet Form Data & Time / Date Captures any information typed into a web form

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Internet Form Data & Time / Date:

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• E-Bay User ID and Password & Time / Date:

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Shell Folders Lists default locations for the information relevant to this user

Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)

• Typed URLs Created by user showing an intended action (typed or pasted ) Will be “deleted” when the user clears their Internet Explorer

History The lower the number, the more recent the URL was accessed

Tying Evidence to: WhatWhere / When has the suspect gone on the web?(local Settings\ personal config folder)

• User Internet History (History IE5) Websites visited Index.DAT (Master history Index File Clear History will drop and create a new file but

the old file is still there until over written

The user actually clicked on these links or went there!!

Tying Evidence to: WhatWeb – Internet History (History IE5)

Tying Evidence to: WhatWeb – Internet History Temporary Internet Files

Tying Evidence to: WhatWas a File Printed?*.EMF files

Tying Evidence to: WhatWhat files did suspect (try to) deleted – Recycle Bin?(separate folder for each user)Info2 file

Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)Local Drive

Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)Local to External Drive

Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)External Drive

Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)Network Drive

[Cameras may not always be found under USBSTORE; also look in USB.]Multifunctional devices will have a line for each function; fax, copier, printer,

scanner]

Tying Evidence to: WhatWhat Other Devices Have Been Connected?IDE/USB/USBStore

Meta Data File Information (varies by type of file):

[Word documents can maintain past revisions and up to 10 of the last authors to edit the file.]

Meta data around files (article) The New Metadata Rules

What a busy attorney won’t take the time to tell you, and how it affects the legal IT departmentby Dona Payne, Payne Consulting, Group

http://www.payneconsulting.com/pub_books/articles/pdf/ILTAPayneMetadata.pdf

Tying Evidence to: WhatWhen was the file created and Who created it?Has the file been changed and When / Who has changed it?Meta Data

Creator (Author) Name Last Author Date Created Date Last Printed Date Last Modified Tracked Changes by Author [Track Changes needs to have been turned on in WORD]

Last Name to Modify Hidden Objects Hidden Text # of Revisions Total Editing Time Smart Tag Captured Information

Tying Evidence to: WhatAre there Similar Files or Other Versions of the file?Meta Data based on MD5 Hash

Tying Evidence to: WhatWhat applications were use recently?Prefetch - use to locate Malware

Tying Evidence to: WhatWhat applications were use recently?Prefetch - use to locate cleaners (CCleaner ), defrag, backup (Carbonite- remote backup

site/service) software

[Listing the related / dependent files and processes for Carbonite backup]

Tying Evidence to: What / WhoAre there Emails and Attachments related to scope and suspect?

• Changes tracked in the Security.EVT registry log file• Use an Event Viewer • FSPRO Labs Eventlogxp.Com

• Manually (re)setting the system time creates an Event ID # 520

• Meaning of Event IDs for different OS WWW.EventID.Net

• Networked computers synchronize local clocks with a time server on the Internet or an intranet.

Tying Evidence to: WhenHas the System Time/Date Has Been Changed?

Tying Evidence to: WhenTime & Date Change in Event Viewer

Tying Evidence to: When / What / Who

When did the Suspect and Events coincide? - TimelinesUsing the Suspect personal config file (NTUSER.DAT)

• UserAssist shows what windows they had open

• RecentDocs (also used under What)

• MRU lists OpenSaveMRU MapNetworkDriveMRU Explorer\RunMRU Explorer\StreamMRU

How can a suspect change critical File Times?Create / Access / Modify

Laptops & Desktops

• Copy from one folder to another

Updates the Creation date to the current date

No change to Modify date

• Move from one folder to another

No change to Modify or Create dates

USB Storage Devices

• Copy or Move from one folder to another is the same as for laptops / desktops

• Copy file from USB to laptop/desktop Updates Creation date No change to Modify date

• Move file from USB to laptop/desktop

No change to Modify or Create dates

Anti (Counter)-Forensics

• Recently recognized as a legitimate field of study

• “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.”

(Dr. Marc Rogers of Purdue University)

• “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.”

(Scott Berinato in his article, The Rise of Anti-Forensics)

Anti (Counter)-ForensicsFrom Wikipedia

• Anti-forensics methods are often broken down into several sub- categories to make classification of the various tools and techniques simpler.

One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers.

He has proposed the following sub-categories: data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) processes and tools.

Anti (Counter)-Forensics

Windows Based

Windows Defrag Format and reinstall the OS Copying / Moving large amounts of data around repeatedly

Anti (Counter)-ForensicsOS (Re)Installation

Anti (Counter)-ForensicsRegistry Cleaners

PCTools Registry Doctor XP Medic (XPMedic.com) Registry Patrol (registrypatrol.com)

Anti (Counter)-Forensics

Software Examples

Metasploit – Anti-Forensic ToolkitAnti-Forensic Investigation Arsenal (MAFIA)

TransmogrifyTrail-obfuscation program

In most file types the header of the file contains identifying information. A (.jpg) would have header information that identifies it as a (.jpg), a (.doc) would have information that identifies it as (.doc) and so on. Transmogrify allows the user to change the header information of a file, so a (.jpg) header could be changed to a (.doc) header. In a forensic examination searching for images (.jpg) on a machine, it would simply see a (.doc) file and skip over it.

SlackerA program used to hide files within the file slack space on a Windows computer

Darik’s Boot and Nuke – disk wiping software

Anti (Counter)-Forensics

Software Examples

TimestompGoal is to allow for the deletion or modification of time stamp related information on files. There are (4) four date time and date stamps files display useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete

all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. The Windows operating system records at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if

the values are simply changed to believable values, then there is little chance the change(s) will be noticed at a casual glance.

Anti (Counter)-ForensicsWiping Tools

Eraser (free & ready to install) CCleaner (free) Window Washer ($29.95)

Erases browser history, cookies & cacheProtects passwords and personal informationPermanently deletes unwanted filesFrees up space on HDRemoves cookies and unnecessary filessets automatic cleanings

Evidence Eliminator ($29.95)Erase all tracks of internet activityInternet & windows tracks erasing

Anti (Counter)-ForensicsWiping Tools (example) – CCleaner

Anti (Counter)-ForensicsWiping Tools (example) – CCleaner

Useful Tools

Read-Only Hard Drive Viewing Live image Peraben P2 explorer Smart Mount Mount Image Pro

Used For: Running Software Used on Suspect’s System Running Anti-Virus / Anti-Malware Software Against Suspect’s

System Safe Way to Walk Through Suspect’s System As They Used it

without having to restore their system

Gaining Access To:

• Emails

• ISP Data

• Cloud Computing

• Electronically Stored Information (ESI)

I Need Electronic EvidenceSo How Do I Get It?

• Forensic Expert Trained and Certified Identify the Goal and the Scope of the

Examination

• Search Warrants & Subpoenas

Questions???

Contact Information

Andreas KaltsounisDepartment of Defense Inspector GeneralDefense Criminal Investigative ServiceSeattle Resident Agency(206) 553-0699 x222andreas.kaltsounis@dodig.mil

Sherry JohnsonFraud & Digital Forensic Investigation, LLCDigital Forensic ExaminerCertified Fraud Examiner(206) 551-6227