forensic digital analysis - 123seminarsonly.com · ogetslack – to capture data contained in ......
TRANSCRIPT
What is Digital Forensics Analysis?
o The gathering and analysis of information for use in legal proceedings.
o Relatively new discipline.
The Current Debate
o Is Digital Forensics a Science?
o Science: A systematic activity requiring study and method.-Webster’s
Old School -It is NOT a science
o The majority of law enforcement personnel that have worked with forensics do not have a formal education in science or computers.
o Their expertise is gained by experience and/or training. They do not consider “data” as being scientific.
o The “Science” of forensics is limited to hair and blood samples, DNA, fibers, etc.
o Software tools used in digital forensics are not reviewed or approved by any governmental body.
o Processes used in the development of digital forensic tools and capabilities are not considered to be scientific.
o Tools are developed by individuals, based on the needs of the community, and subsequently released to the general public.
Old School -It is NOT a science, con’t.
New School - It IS a science
o The integral component of digital analysis is being able to PROVE the validity of the data gathered.
Acquisition of Digital Evidence
o “Evidence” implies that the collector of evidence is recognized by the courts.
o The process of collecting is assumed to be a legal process.
o The appropriate Uniform Rules of Evidence or Federal Rules of Evidence apply.
Legal Definition – The Frye Test
o The test for admissibility of scientific evidence is:
o Burden of proving that his methodology or his opinion were generally accepted in the relevant scientific community.
http://www.law.com
International Association of Computer Investigative Specialists
IACIS
o IACIS is an international volunteer non-profit corporation.
o Composed of law enforcement professionals dedicated to education in the field of forensic computer science.
o Members represent Federal, State, Local and International Law Enforcement professionals.
o Regular IACIS members have been trained in the forensic science of seizing and processing computer systems.
The Integral Piece That Encompasses All Entities
Digital Forensics Research Workshop http://dfrws.org
What happened to initiate contact?
o Defacement of Web pages – destruction of propertyo Malicious DBS alterationo Murdero Pornography usageo To prove an alibio Sabotage to the organizationo Extortion o Theft of corporate intellectual property o Computer-controlled building functionso Computer network being used as jump-off pointo Military weapons systems alteredo Satellite communication system takeover
Before You Arrive – Ask Questions!
o Have the compromised systems been secured? If not, do so immediately.
o Is there an IDS in place?o Who first noticed the incident?o Any suspects? Is the attacker still online?o Are there Security policies/procedures in place?o Has law enforcement been contacted?o Copy of the network architecture?o Hardware platforms in use?o What size are the compromised hard drives?o Is the compromised system classified?o Will System Administrator or other company experts be
available at my disposal?o Does the crime scene area forbid electronic communication
devices – i.e. cell phones?
What Do I Do Now?
o FBI Investigative Techniquesn Check records, logs, and documentationn Interview personneln Conduct surveillancen Prepare search warrantn Search the suspect’s premises if
necessaryn Seize evidence
oDigital Evidence: Standards & Principals http://www.fbi.gov
On Site: Pre-Briefing @15 Minuteswith all involved personnel.
o Get updated situation status.
o Ask additional questions.n Some to the group.n Some by individual.n Use discretion and tact!
o BE INFORMED – Know your limits!Department of Justice, Search and Seizure Guidelines: http://www.usdoj.gov/criminal/cybercrime.html
Tools of the Trade
Critical:
1. ALWAYS maintain chain of custody.
2. Keep the evidence in a secured area with proper access controls.
3. Perform analysis on images – never on the original.
http://www.cftt.nist.gov National Institute of Standards Testing
Tools of the Trade, con’t.
o SafeBack – To obtain a bitstream backup (bit-by-bit copy of the hard drive) of the compromised system.
o GetTime – To document the time and date settings of a victim computer. Reads from CMOS.
o FileList, FileCnvt, Excel – 1. Catalogs contents of the disk and 2/3. is used to read output of FileList programs.
o GetFree – To obtain the content of all unallocated space (deleted files) on the analysis computer.
All tools available by New Technologies, Inc. http://www.Forensics-Intl.com
Tools of the Trade, con’t.
o Swap Files and GetSwap – 1. If MS OS system contains static swap files, copy these files to Zip Drive. 2. Obtain data found in computer “swap” or “page” files.
o GetSlack – To capture data contained in the file slack of the hard drive on the analysis computer.
o Filter_I – To make binary data printable and to extract potentially useful data from a large volume of binary data.
Tools of the Trade – Predominate Usage
o EnCaseo Intuitive GUI that enables examiners to easily manage
large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated space.
o Automates core investigative procedures. o The integrated functionality of EnCase allows the
examiner to perform all functions of the computer forensic investigation process.
o EnCase's EnScript, is a powerful macro-programming language and API that allows investigators to build customized and reusable forensic scripts.
http://www.guidancesoftware.com/whitepapers/v4_eee_features.pdf
Caution
o Always use a write-block utility when using imaging and analysis utilities!
o SafeBack (previous slide)
o Hardware utility –n FastBloc: Full documentation/usage for IDE
hard drives available at: http://www.guidancesoftware.com/support/downloads/FastBlocWP.pdf
Operation Enduring FreedomAnalysis and Recovery
o Forensics is playing a critical role.n Terrorist factions are using computers
and related equipment in their communication network.
n When identified, forensic analysis must occur in a expeditious manner.
n Information found could suggest possible targets, movements, communication methods, and location.
The Message of an Expert
o "Continued corroboration between public and private sector organizations working in the field of digital forensics must continue, if this area is to become recognized as one of the forensic sciences".
-Daniel Kalil, 11 February, 2003
-Digital Forensics Specialist
ohttp://www.rl.af.mil
Additional References
o Cyberforensics Science & Technology Center, Air Force Research Laboratory, New York. Daniel J. Kalil, Digital Forensics Specialist. http://www.rl.af.mil
o American Academy of Forensic Sciences http://www.aafs.org
o Internationasl Journal of Digital Evidencehttp://www.ijde.org
o Cyber Crime Investigator’s Field Guide, (2002) Auerback Publications, Bruce Middleton.http://www.auerback-publications.com
A very special “Thank-you”to Daniel Kalil
Digital Forensics Specialist, Northrop GrummanIT TASC
Cyberforensics Science & Technology CenterAir Force Research Laboratory/IFGB
for being so patient and responsive to my incessant questions. His knowledge
and expertise has ignited a spark that will last a lifetime!