andreas kaltsounis sherry johnson computer forensics, crime & investigators october 6, 2010 2010...
TRANSCRIPT
Andreas KaltsounisSherry Johnson
Computer Forensics, Crime & InvestigatorsOctober 6, 2010
2010 Organization of Bar Investigators Conference
Trends in Computer Usage & Crime
• Computer Usage
Email, Text-Messaging
PDAs and Smartphones
Social Networking
• Computer Crime
Botnets
Computer Intrusions & Corporate Espionage
What we Can Do
• Define HOW propriety data was stolen, and HOW MUCH of it was stolen
• Detect the alteration of documents, images, or other files
• Track internet usage and web activity
• Create a timeline of user activity on a system
• Recover emails and other files that have been “deleted”
• Document unauthorized access to systems or servers (intrusions)
• Identify the use of anti-forensics (cleaning utilities)
What we Can’t Do
• Recover information if it has been truly deleted (that is, overwritten)
• Tell you with certainty WHO was using a computer
• Conduct an examination without access to the drive, or on a physically damaged drive
Digital ForensicsWhat types of investigations can Digital Forensics support?
• Thumb (Jump) Drives
• CD/DVD Forensics
• Camera Forensics
• Copier Hard Drives
• Cell Phone Forensics
Call Detail Records
Text Messages
GPS & Tower Location Data
• Forensic Examinations
What is Digital (Computer) Forensics
Need to Substantiate:
• What was being done on the computer / device
• When it was being done
• Who (user account) was doing it
Forensic Evidence – Where to Start
What type of information can you get from Digital Forensic analysis?• Could be as little as 4 words carved from a deleted file
• Or a part of a picture carved from unallocated space
Forensics 101 – Don’t Take Actions That will Change the Evidence
• What not to do Allow anyone to “look around”, open, close, move, or copy Hitting a key could trigger an undesired change Not always best to pull the plug and turn the system off
• What to do Have a forensic expert with you or someone you can call Document all actions taken If system is on have it checked for encryption Make decisions as to the best way to take the image
[There are several forensically acceptable ways to take an image of a live
system, but the actions need to be well documented.]
Tying Evidence to:• Who • What• When• How• (Why)• (Where)
Tying Evidence to: WhoWho has been using this system?
SAM Registry File
Last Logon Time may not be useful if the system has been left on for days
Tying Evidence to: Who Which user was the last one to use the
system?
• Compare Time/Date of all user NTUSER.DAT
files• Compare last used NTUSER file to SYSTEM file
Last Access Time/Date
Tying Evidence to: WhoWhat can be used to establish connection to
suspect?
• Non-Digital Forensics: Phone records Door cards Video monitors Witnesses
• Check Log Files Applications used by suspect Chat file logs
Tying Evidence to: Who Chat Logs
Tying Evidence to: Who Is there a QUICK way check across suspect related
files?• Filter on User SID• Review All Files• Sort by Last Access
Tying Evidence to: WhoHow to DEBUNK the Malware / Virus
defense?“I didn’t do it…Malware, Viruses or hackers did it”
• Establish multiple indicators of Who was on the computer and When
• Prove Malware / Virus is not on the system• Prove Malware / Virus found is designed to do…..and
would not have created this body of evidence of wrong doing
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• gmail Password & Time / Date Last Used (Written)
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Google User ID & Password• Time / Date Used
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Documents Most Recently Used & Time / Date(Open and/or Saved)
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Recent Documents Used & Time / Date:
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Internet Form Data & Time / Date Captures any information typed into a web form
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Internet Form Data & Time / Date:
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• E-Bay User ID and Password & Time / Date:
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Shell Folders Lists default locations for the information relevant to this user
Tying Evidence to: WhatUsing the Suspect personal config file (NTUSER.DAT)
• Typed URLs Created by user showing an intended action (typed or pasted ) Will be “deleted” when the user clears their Internet Explorer
History The lower the number, the more recent the URL was accessed
Tying Evidence to: WhatWhere / When has the suspect gone on the web?(local Settings\ personal config folder)
• User Internet History (History IE5) Websites visited Index.DAT (Master history Index File Clear History will drop and create a new file but
the old file is still there until over written
The user actually clicked on these links or went there!!
Tying Evidence to: WhatWeb – Internet History (History IE5)
Tying Evidence to: WhatWeb – Internet History Temporary Internet Files
Tying Evidence to: WhatWas a File Printed?*.EMF files
Tying Evidence to: WhatWhat files did suspect (try to) deleted – Recycle Bin?(separate folder for each user)Info2 file
Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)Local Drive
Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)Local to External Drive
Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)External Drive
Tying Evidence to: WhatFiles – *.LNK (Shortcut Pointers to files, drives and devices)Network Drive
[Cameras may not always be found under USBSTORE; also look in USB.]Multifunctional devices will have a line for each function; fax, copier, printer,
scanner]
Tying Evidence to: WhatWhat Other Devices Have Been Connected?IDE/USB/USBStore
Meta Data File Information (varies by type of file):
[Word documents can maintain past revisions and up to 10 of the last authors to edit the file.]
Meta data around files (article) The New Metadata Rules
What a busy attorney won’t take the time to tell you, and how it affects the legal IT departmentby Dona Payne, Payne Consulting, Group
http://www.payneconsulting.com/pub_books/articles/pdf/ILTAPayneMetadata.pdf
Tying Evidence to: WhatWhen was the file created and Who created it?Has the file been changed and When / Who has changed it?Meta Data
Creator (Author) Name Last Author Date Created Date Last Printed Date Last Modified Tracked Changes by Author [Track Changes needs to have been turned on in WORD]
Last Name to Modify Hidden Objects Hidden Text # of Revisions Total Editing Time Smart Tag Captured Information
Tying Evidence to: WhatAre there Similar Files or Other Versions of the file?Meta Data based on MD5 Hash
Tying Evidence to: WhatWhat applications were use recently?Prefetch - use to locate Malware
Tying Evidence to: WhatWhat applications were use recently?Prefetch - use to locate cleaners (CCleaner ), defrag, backup (Carbonite- remote backup
site/service) software
[Listing the related / dependent files and processes for Carbonite backup]
Tying Evidence to: What / WhoAre there Emails and Attachments related to scope and suspect?
• Changes tracked in the Security.EVT registry log file• Use an Event Viewer • FSPRO Labs Eventlogxp.Com
• Manually (re)setting the system time creates an Event ID # 520
• Meaning of Event IDs for different OS WWW.EventID.Net
• Networked computers synchronize local clocks with a time server on the Internet or an intranet.
Tying Evidence to: WhenHas the System Time/Date Has Been Changed?
Tying Evidence to: WhenTime & Date Change in Event Viewer
Tying Evidence to: When / What / Who
When did the Suspect and Events coincide? - TimelinesUsing the Suspect personal config file (NTUSER.DAT)
• UserAssist shows what windows they had open
• RecentDocs (also used under What)
• MRU lists OpenSaveMRU MapNetworkDriveMRU Explorer\RunMRU Explorer\StreamMRU
How can a suspect change critical File Times?Create / Access / Modify
Laptops & Desktops
• Copy from one folder to another
Updates the Creation date to the current date
No change to Modify date
• Move from one folder to another
No change to Modify or Create dates
USB Storage Devices
• Copy or Move from one folder to another is the same as for laptops / desktops
• Copy file from USB to laptop/desktop Updates Creation date No change to Modify date
• Move file from USB to laptop/desktop
No change to Modify or Create dates
Anti (Counter)-Forensics
• Recently recognized as a legitimate field of study
• “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.”
(Dr. Marc Rogers of Purdue University)
• “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.”
(Scott Berinato in his article, The Rise of Anti-Forensics)
Anti (Counter)-ForensicsFrom Wikipedia
• Anti-forensics methods are often broken down into several sub- categories to make classification of the various tools and techniques simpler.
One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers.
He has proposed the following sub-categories: data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) processes and tools.
Anti (Counter)-Forensics
Windows Based
Windows Defrag Format and reinstall the OS Copying / Moving large amounts of data around repeatedly
Anti (Counter)-ForensicsOS (Re)Installation
Anti (Counter)-ForensicsRegistry Cleaners
PCTools Registry Doctor XP Medic (XPMedic.com) Registry Patrol (registrypatrol.com)
Anti (Counter)-Forensics
Software Examples
Metasploit – Anti-Forensic ToolkitAnti-Forensic Investigation Arsenal (MAFIA)
TransmogrifyTrail-obfuscation program
In most file types the header of the file contains identifying information. A (.jpg) would have header information that identifies it as a (.jpg), a (.doc) would have information that identifies it as (.doc) and so on. Transmogrify allows the user to change the header information of a file, so a (.jpg) header could be changed to a (.doc) header. In a forensic examination searching for images (.jpg) on a machine, it would simply see a (.doc) file and skip over it.
SlackerA program used to hide files within the file slack space on a Windows computer
Darik’s Boot and Nuke – disk wiping software
Anti (Counter)-Forensics
Software Examples
TimestompGoal is to allow for the deletion or modification of time stamp related information on files. There are (4) four date time and date stamps files display useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table.
Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete
all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. The Windows operating system records at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if
the values are simply changed to believable values, then there is little chance the change(s) will be noticed at a casual glance.
Anti (Counter)-ForensicsWiping Tools
Eraser (free & ready to install) CCleaner (free) Window Washer ($29.95)
Erases browser history, cookies & cacheProtects passwords and personal informationPermanently deletes unwanted filesFrees up space on HDRemoves cookies and unnecessary filessets automatic cleanings
Evidence Eliminator ($29.95)Erase all tracks of internet activityInternet & windows tracks erasing
Anti (Counter)-ForensicsWiping Tools (example) – CCleaner
Anti (Counter)-ForensicsWiping Tools (example) – CCleaner
Useful Tools
Read-Only Hard Drive Viewing Live image Peraben P2 explorer Smart Mount Mount Image Pro
Used For: Running Software Used on Suspect’s System Running Anti-Virus / Anti-Malware Software Against Suspect’s
System Safe Way to Walk Through Suspect’s System As They Used it
without having to restore their system
Gaining Access To:
• Emails
• ISP Data
• Cloud Computing
• Electronically Stored Information (ESI)
I Need Electronic EvidenceSo How Do I Get It?
• Forensic Expert Trained and Certified Identify the Goal and the Scope of the
Examination
• Search Warrants & Subpoenas
Questions???
Contact Information
Andreas KaltsounisDepartment of Defense Inspector GeneralDefense Criminal Investigative ServiceSeattle Resident Agency(206) 553-0699 [email protected]
Sherry JohnsonFraud & Digital Forensic Investigation, LLCDigital Forensic ExaminerCertified Fraud Examiner(206) 551-6227