Low Level Host Examinations

Non-Destructive Actions

Fdisk

Chkdsk

Dir

Redirection

Type

First responder Concerns

Normal to have access in past 24 hoursLast person on systemNormal work hoursNeed to work outside established hoursWork patternsTime of incidentSystem backed upTime with organizationAny different behaviorAny changes to network or problemsAccess level to systems/applicationsAny changes to work areaNon-US citizenAccess logs into building/garageUser ID and PWAny reprimandsContractor accessWho had access to areaEducational and computer expertise of individualsWhat is work of organizationWho noticed? Who reported?Anything touchedWho knows of incidentCopy of security policies and proceduresWhy is this a problemPurchasing record of system(s) and base configurationDiagram of network architecture

Names and contact info for experts/supervisors

Describe evidence collection procedures

Backups to system

System re-imaged or new versions installed

New applications added to system

Any new rights issued for systems/applications

Any disgruntled employees

Lockard’s Exchange Principle

Anyone, or anything, entering Anyone, or anything, entering a crime scene takes a crime scene takes

something of the crime scene something of the crime scene with them. They also leave with them. They also leave

behind something of behind something of themselves when they depart.themselves when they depart.

Evidence on the Hard DriveEvidence on the Hard DriveHard disk drives

FilesErased filesFile slackHidden partitionsEncrypted filesCompressed data (zip)Windows swap fileWindows temp filesApplication temp filesEncrypted filesHidden files/folders

FBI Investigations

Check records, logs, and documentation

Interview personnel

Conduct surveillance

Prepare a search warrant

Search the suspect’s premises

Seize evidence

Analysis of the EvidenceAnalysis of the EvidenceIdentify & document evidence of criminal violationsIdentify & document evidence of criminal violationsIntelligence gathering from other sourcesIntelligence gathering from other sourcesTie media to computersTie media to computersIdentify email & Internet browsing patterns tied to criminal Identify email & Internet browsing patterns tied to criminal activityactivityIdentify associatesIdentify associatesIdentify time linesIdentify time linesIdentify weaknesses in caseIdentify weaknesses in caseAudit issues regarding violations of corporate policyAudit issues regarding violations of corporate policyDiscover evidence for civil or criminal casesDiscover evidence for civil or criminal casesIdentify source of trade secret thefts & abusesIdentify source of trade secret thefts & abusesMisuse of Internet accessMisuse of Internet accessLocate trade secretsLocate trade secrets

Just "Look"You can just look at a person's workspace--Passwords are too often out in plain view:

- Taped to the monitor- Written on the desktop- In the Rolodex file- On a "Post-It" note

Workstation Policies Perform a physical audit

Tag & inventory all physical computing resourcesPolicies address use of PDAs, storage devices, and laptopsResponsibility for stolen devicesHow hardware/software is used at homeTechnicians & passwordsHelp desk reportsNo downloads or software installsProhibit running executable files received as e-mail attachments

Bitstream back-up entire contents of hard disk(s) when employee leaves/terminated

Preparing a Case

Comments to law enforcement are “on the record” Know your loss Have documentation of the case Gather and deliver physical evidence Use legal counsel that can explain the law Describe the investigation Have only one set of notes Conduct the investigation in secret Time is of the essence

Detection of incidentInitial responseResponse strategy formulationInvestigationIsolate and containRecoveryReportLessons learned

Incident Response Implementation

Why Use a Methodology?A formal methodology allows an investigator to approach and investigate a computer crime rationally and expeditiously, without a loss of thoroughness. More importantly, it establishes a protocol by which electronic evidence (physical and logical) is gathered and handled, to reduce the potential for this evidence to be corrupted or tainted.

Timothy Wright

Low Hanging Fruit

Internet history filesCheck cookies for subscription services passwords

Review of directories & files with simple DOS commands

Check processes

.BAK & .DAT files on PDAsParaben forensics tools for PDAs

ToolsMake sure virus free

NIST certified virus checkerUse same software versions for each investigation (do not change in middle)CHKDSK identifies orphan clustersSYSINFO documents systemFDISK documents # and size of partitionStart up disk (bootable)Use only licensed softwareCopy drivers to start-up disk (Parallel, IDE, SCSI)Config.sys for devicesCheck peer-to-peer access for storage on another mediumGetTime grabs date and timeDisklocking programs (floppylock, writeblock,diskblock)Ribbon cable for hook up to HD

Are There Limits?

All of the computer hardware, software and media that a suspect might have access to at his job, is probably owned by the employer. Seizures do not need to adhere to Fourth Amendment

Approaching a Scene

Permission to process PC

Pictures to document scene

Pull plug from in back not wall (picture first)

Remove all connections & label

Pulling plug does not change state of hard drive but a shut down will!

Preliminary Preparation

1. Accumulate the packaging and materials2. Prepare the log for documentation of the search 3. Ensure IRT is aware of forms of evidence & proper

handling materials 4. Evaluate the current legal ramifications of crime scene

searches 5. Discuss the search with involved personnel before

arrival at the scene6. Identify a person-in-charge prior to arrival at the scene 7. Assess the personnel assignments normally required

to process a crime scene successfully

Reviewing The Surroundings

DesktopsMonitors Next to telephonesIn wallets or pursesElectronic pocket organizersIn a suspect's pocketTrash can Inside of books and manualsTaped underneath keyboards

• Victim theory of access• Corroborating evidence of employee

access New files created during timeline of

theftCode entry (doors, gates, rooms)Telephone records (corroborate login)Placement at scene (eyewitness,

camera)• Obtain court order for trap and trace for

home

Investigation of Computer Intrusion

Employee Suspects• Check personnel file• Signed for receipt of proprietary

information• Check building logs• Cleaned out desk area• Phone records for calls to

competitors• Calls from former employees

requesting information

Procedures

Take photographs of: The computer screen

The front, back and sides of the computer

The cables attached to the computer

Any peripherals attached to the computer

Log whether the computer is on or off

If on, note in the log what it appears to be doing

Log whether or not the computer is on a network

Examination in DOSCreate a DOS diskCopy DOS filesVirus checkPlace boot disk in A: driveBoot to DOSInsert copy disk Backup VerifyDuplicate from copy (place in separate area)Run disksig and CRCMD5 on victim hard drive

Tools

GetTime

Documents the time and date settings of the victim computer

Reads date/time from CMOS

Syntax: GetTime <enter>Creates a file note time on your watch/clock

Tools

Filelist, filecnvt, ExcelFilelist <enter> Catalogs contents of the diskFilelist /m /d a:\DriveC C: <enter>Dir /od a: <enter> creates 2 files (delete 2nd one)Run filecnvt

Enter name of computerRun Excel Column 3 has the filenames of deleted files

Tools

Getfree

Content of unallocated space

Getfree C: provide estimate for amount of freespace

Getfree /f d:\FreeC c:/f excludes non-printed characters

Tools

Getswap

Windows 98 or 95 copy win386.swp or 386spart.par

If NT/2000 you must do this from DOS (not a window)

Locate pagefile.sys (usually c:\winnt\system32\)

Copy file

To read instructions: getswap man | more

Getswap id to find out partitions recognized

Getswap d:\swapdata c: e: f: g:

Getswap /f d:\swapdata C:

Tools

Getslack

Getslack c: to determine how much exists

Getslack /f d:C_slack C:

Temp Files

.tmp extension

Start: Find

Copy

CRCMD5

Calculates a 32 bit checksum

Crcmd5 <options> file1 file2/s current directory /h headerless text

Crcmd5 /s d:

Crcmd5 d:swapdata.f01

Tools

Disksig computes checksum for an entire hard drive (boot sector is excluded)

Disksig d:

To include boot sector use /b

Compressed drives have the signature performed on the raw uncompressed hard drive

Tools

DocDocuments the contents of files and directories and related information

Doc <enter>

Can be redirected to a file for printing

Will be in a file

Searching

Favorites

Bookmarks

Cookies

History file

Internet Options set

Properties for file dates, ownership

Recycle binHidden system folder

Sequence of deletion, files deleted, dates, types of files

Folder in 95 & 98 Recycled or NT/2000 Recycler

Recycle Bin

When files deleted:Moved to recycle bin creates a new entryDeletion of file folder from original locationAddition of information about the file to a hidden file INFO (800) or INFO2 (280)First time use of recycle bin in NT/2000 a subfolder is created with user’s SID—Identifies which user created Date and time recorded in INFO not binOther INFO

Prior file locationOrder in binNew filename in bin (original drive letter, index #, original extension

Empty bin and INFO is deletedUse Quickview Plus to look at deleted file infoIdentify information about other media

Shortcut

ExamineWindows desktopWindows\recent—up to 15 shortcutsWindows start menuWindows send to.lnk filesRefers to target files (applications, folders, data, objects)Existence of shortcuts indicates knowledge of presence of a file

If times differ can point to knowledge to create Icon

Cached Files

IE caches websites

Cached files stored in Windows\Temporary Internet Files folder

INDEX.DAT has all cached files

Registry

Repository for hardware and software configuration information

Windows\system.dat or windows\user.dat

On NT/2000 the registry is comprised of hives located in %systemroot%\system32\config and Ntuser.dat files related to each user account

Regedit or regedt32 or NT Resource Kit has a utility regdmp

Printing

Shadow files created about print jobs .shd

Information on print job: owner, printer, name of file and method

Existence points to knowledge of printing activity

MAC Times

OS records dates and times of files accessed, created modified

Dates can be sorted to reveal a sequence of activities

MFT

Master File Table is a system file created during formating of NTFS volume1 MFT record for every file on a volume including an entry about itself and some metadataMFT records store attributes about a file or folder MFT records store all or some data in a file in the $data attributeContain flag with allocation status (0 if deletion/unallocated)

RecycledDC178 TXT 72 01-24-03 8:54a DC178.TXT

DC179 TXT 96 01-24-03 8:54a DC179.TXT

DC180 TXT 74 01-23-03 12:11p DC180.TXT

DC181 TXT 94 01-23-03 12:09p DC181.TXT

DC182 TXT 110 01-23-03 12:09p DC182.TXT

DC183 TXT 318 01-23-03 12:07p DC183.TXT

DC184 TXT 70 01-23-03 12:07p DC184.TXT

DC185 TXT 104 01-23-03 11:26a DC185.TXT

DC186 TXT 71 01-23-03 11:26a DC186.TXT

DC187 TXT 155 01-23-03 8:39a DC187.TXT

DC188 TXT 175 01-22-03 6:15p DC188.TXT

DC189 TXT 104 01-22-03 6:13p DC189.TXT

DC190 TXT 80 01-22-03 6:12p DC190.TXT

DC191 TXT 94 01-22-03 6:12p DC191.TXT

DC192 TXT 148 01-22-03 6:11p DC192.TXT

DC193 TXT 95 01-22-03 5:54p DC193.TXT

DC194 TXT 95 01-22-03 5:51p DC194.TXT

DC195 TXT 77 01-22-03 5:49p DC195.TXT

DC196 TXT 127 01-22-03 5:47p DC196.TXT

DC197 TXT 163 01-25-03 3:01p DC197.TXT

DC198 TXT 70 02-05-03 8:56a DC198.TXT

198 file(s) 2,723,699 bytes

2 dir(s) 15,511.09 MB free

C:\RECYCLED>