forensics honors nov2003

8/8/2019 Forensics Honors Nov2003

1/30

Solving Computer Crime: AnIntroduction to Digital

ForensicsGolden G. Richard III, Ph.D.

Dept. of Computer Science

Gulf Coast Computer Forensics Laboratory (GCCFL)[email protected]


2/30

Digital Forensics

Definition: Tools and techniques to recover,

preserve, and examine digital evidence on ortransmitted by digital devices.

Devices include computers, PDAs, cellular phones,

videogame consoles


3/30

Examples of Digital Evidence Computers increasingly involved in criminal and corporate

investigations

Digital evidence may play a supporting role or be thesmoking gun

Email Harassment or threats

Blackmail

Illegal transmission of internal corporate documents

Meeting points/times for drug deals

Suicide letters

Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or

attacks Use of a machine as a spam email generator

Use of a machine to distribute illegally copied software


4/30

Major Issues

Identification of potential digital evidence Where might the evidence be? Which devices did the

suspect use?

Preservation of evidence

On the crime scene First, stabilize evidenceprevent loss and contamination

If possible, make identical copies of evidence forexamination

Careful extraction and examination of evidence

Presentation The FAT was fubared, but using a hex editor I changed the firstbyte of directory entry 13 from 0xEF to 0x08 to restoreHITLIST.DOC

The suspect attempted to hide the Microsoft Word documentHITLIST.DOC but I was able to recover it without tampering withthe file contents.

Legal: Investigatory needs meet privacy


5/30

Preservation of Evidence: Hardly trivial

Living roomBasement/closet

wireless connection

Dear Susan,

Its not your

fault

Just pull the plug?

Move the mouse for a quick peek?

Tripwires

tickticktick

Volatile

computing


6/30

Preservation: Imaging

When making copies of media tobe investigated, must preventaccidental modification or

destruction of evidence!

Write blockers: Use them.Always.

dd under Linux

DOS boot floppies

Proprietary imaging solutionsDrivelock

write blocker


7/30

Extraction and Examination

Know where evidence can be found

Understand techniques used to hide or

destroy digital data Toolbox of techniques to discover hidden

data and recover destroyed data

Cope with HUGE quantities of digital data

Ignore the irrelevant and target the relevant


8/30

Wheres the evidence?

Undeleted files, expect some names to be incorrect

Deleted files

Windows registry

Print spool files Hibernation files

Temp files (all those .TMP files!) Slack space

Swap files

Browser caches

Alternate partitions

On a variety of removable media (floppies, ZIP,Jazz, tapes, )


9/30

Fallacy vs. Fact in Digital Forensics

Many digital forensics tools and techniquesare quite complex

Very difficult to cover in a short lecture

To illustrate investigative procedures fordigital forensics, a fact vs. fallacy approach

Fallacy: User attempting to hide evidencebelieves one thing

Fact: But in fact

Look at a few fact vs. fallacy scenarios

Then, one more advanced topic


10/30

Fallacy: File was deleted, its gone!

Users often mistake normal deletion of files forsecure deletion

Deleted files recoverable using forensics tools

Why? Filesystem makes a small change in its bookkeepinginfo to mark a file as deleted

Data associated with file is NOT erased

Example: FAT32 (Windows), first character of

filename is changed to 0xEF in directory entry todelete file

Forensics software changes one character indirectory entry, file reappears

To prevent recovery, must perform secure overwriteof the file or physically destroy the media


11/30

Fallacy: I renamed the file, Im safe!

childporn.jpg winword.exe

Renaming files is an ineffective defense againstdigital forensics investigation

Technique # 1: Most file types (e.g., JPEG image) have a structure that canbe recognized directly, regardless of the filename a userchooses

e.g., JPEG files contain 0x4a464946 or 0x45786966 in thefirst block of the file

Technique # 2: Cryptographic hashing provides a mechanism for

fingerprinting files

File contents is matched quickly, regardless of name

Hashes equivalent, file contents equivalent

Think: fingerprints dont care about hair color


12/30

Aside: Hashing

Typical algorithms: SHA-1, MD5

Example:

C:> md5sum golden.jpg

b28f08b004a7251a418e089ef3bb7409 *golden.jpg

C:> rename golden.jpg winword.exe

C:> md5sum winword.exe

b28f08b004a7251a418e089ef3bb7409 *winword.exe

Can automate checking of hashes Huge dictionaries exist with hashes for known files:

http://www.nsrl.nist.gov/index/prodname.index.txt

and known child pornography files

Can quickly disregard known files and target the

interesting stuff


13/30

Fallacy: I format-ed the drive, whew!

Formatting a drive does not prevent recovery ofdigital evidence

In fact, format typically overwrites less than 1% ofdrive contents

Why does it take so long? Format is reading diskblocks to determine if bad blocks exist

Format wipes out directories, so names of files arelost

A lot of the data can still be recovered by siftingthrough data that remains after the format operation

For example, file carving tools reconstruct files byexamining the initial and terminal bytes of the file

See digital forensics Technique # 1 under filerenaming fallacy


14/30

Fallacy: Media mutilation == Miller time!

Example # 1: Cutting a floppy into pieces

Example # 2: Opening a hard drive, removing theplatters, throwing them into the trash

Unless the damage is extreme, mutilation ofmagnetic media is insufficient to prevent recovery

Media can be reassembled and partial recoveryperformed

Even strong magnetic fields are insufficient

Older military grade degausser for erasing harddrives was so strong that it bent the platters insidethe drive

Your bulk tape eraser isnt going to do the job

To destroy data: multiple overwrites (software) orcomplete destruction of hardware


15/30

Thats One Big Degausser!


16/30

Fallacy: I used Web-based email

Fallacy: Use of web-based email rather than storing emailmessages directly on a computer is safer (in terms ofthwarting recovery attempts)

Its not. Even if you never download the email and

immediately delete all messages on the server! Recently viewed web pages are stored in web browserscache

Cache is often in a hard-to-find place

Internet Explorer Tools Internet Options Delete Filesclears the cache in IE

See slide on recovery of deleted files for futility quotient Files stored in browser cache are not securely deleted when

the cache is cleared

Browser cache mining tools bring recently viewed webpages, including web-based email messages, back to life in aflash


17/30

Recovery of web-based emails


18/30

Fallacy: Application uninstalls are easy

Illegal application installed

Fear ensues

Application is uninstalled (Am I safe?) application files can still be undeleted, provingapplication was installed

Further steps to obscure installation: Securelyoverwrite application files

Now am I safe?

Nope. Remnants of installation can likely still be found in the

Windows registry

Basically, if a user installs software and wants topermanently eradicate any traces, must securely

erase the entire drive or destroy the hardware


19/30

Fallacy: I encrypted my files

On encrypted file systems, if file is ever printed and spooldirectory isnt encrypted, fragments may be left behind

On some systems (e.g., Windows 2000), a recovery agentis able to read all encrypted files

For Windows 2000, this is the administrator account, thusjust need to break administrator password

Problem: keys for truly secure encryption schemes are long

Search for slips of paper

Search for unencrypted password lists

Search PDAs, phones, and organizers for passwords and

encryption keys Software or hardware keystroke loggers

Van Eck radiation

If the file cant be decrypted, the name of the file may still beuseful in prosecution


20/30

Beowulf, Slayer of Poorly Chosen Passwords

How good are your passwords?


21/30

Steganography

Techniques for hiding information within other

information

Historical

Tattoos

Text on wood under wax layer on a wax tablet

Invisible ink (e.g., writing with lemon juice) Modern

Much more sophisticated Employ powerful encryption techniques

Hide documents w/in an image, video, or audio file

Hidden documents can be harmless, or child pornography,

bomb plans,


22/30

Stego (2)


23/30

Stego (3)


24/30

Stego (4)Slipped inside

the 2nd cactus

picture byjphide

Embedding in this case is not obvious (visually)and image w/

embedded Golden is actually smaller (in bytes) than original

Statistical analysis

by stegdetect guesses

correctly that something

is hidden. But jphide

uses Blowfish to

scramble the order of

embedded data, so

successful extraction is

very unlikely unless the

password is known.


25/30

Core

Igniter

Stego (5)

This bomb diagram, however,

is not detected inside the cactus picture


26/30

Bluepipe: On the Spot Digital Forensics

Cu Boot l BluepipeCD Removablemedia

Target

Bluetoot or .

dongle 3G/

Remote investigator(s)

HandheldBluepipe lient


27/30

Legal Issues

Investigative needs vs. the right to privacy

Search warrant laws, e.g., Fourth Amendment to theU.S. Constitution

Wiretap laws Chain of custody

Admissibility of evidence in court: Daubert Essentially:

Has theory or technique in question been tested?

Is error rate known?

Widespread acceptance within a relevant scientific community?

Patriot Act Greatly expands governmental powers in terms of searching,

wiretap w/o prior notification


28/30

The Other Side: Privacy

Weve concentrated on the cool technology, but

The existence of sophisticated digital forensicstechniques is a great enabler for fascism

Actively fight laws that dont appropriately balanceprivacy with need for investigation

Secure file deletion software

Overwriting files with zeros is good enough unless atunneling electron microscope is available

Volatile computing

Physical destruction of media Grind the media into powder

Vats of acid or molten steel


29/30

Resources

Books Digital Evidence and ComputerCrime (E. Casey, Academic Press) Computer Forensics and Privacy (M. Caloyannides, Artech House)

Websites

http://www.dfrws.org

Lots of references related to digital forensics, including a link to aninteresting e-journal

http://www.ijde.org/ (International Journal of Digital Evidence)

http://vip.poly.edu/kulesh/forensics/list.htm tons of stuff, including a bunch of online papers

http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu Huge collection of forensics-related software

Commercial digital forensics software Encase

FTK (Forensics Tool Kit)

ILook (law enforcement only) WinHex


30/30

Presentation available:http://www.cs.uno.edu/~golden/teach.html

[email protected]

Office: Math 346

?

forensics honors nov2003

Documents