lesson 1 introduction to digi forensics

8/11/2019 Lesson 1 Introduction to digi forensics

http://slidepdf.com/reader/full/lesson-1-introduction-to-digi-forensics 1/47

Forensics

Lesson 1: Introduction



About the Instructor

Chuck Easttom [email protected] www.ChuckEasttom.com

Certifications A+,Network+, iNet+, Server+, Linux+, MCP (Windows 2000 Pro, VB 6 [Desktopand Distributed]), MCAD, MCSE, MCDBA, MCSA, MCT, MCTS (Windows Server 2008, SQLServer 2008, Visual Studio 2010, Windows 7), MCITP(Windows 7 and SQL Server 2008)CIW Security Analyst, CEH, CHFI, ECSA, EC Council Certified Instructor, CISSP, ISSAP,and others.

Education: B.A. and M.Ed. from Southeastern Oklahoma State University. Ph.D. in progress from Northcentral University.

Publications: 11computer science books. Currently working on #12

Worked as a subject matter expert for CompTIA in the creation of the Security+, Server+, andLinux+ exams as well as revising the CTT+.

7 Computer science related provisional patents

Experience: many years in IT, 10+ years of teaching/training.

Creates study guides for Ucertify.com http://www.ucertify.com/blog/chuck-easttom.html

Frequent expert witness in computer related computer cases

mailto:[email protected]

http://www.chuckeasttom.com/

http://www.ucertify.com/blog/chuck-easttom.html

http://www.amazon.com/exec/obidos/tg/detail/-/0131711261/qid=1119533757/sr=1-9/ref=sr_1_9/104-0220992-9255122?v=glance&s=books/chuckeasttomsvisa/

http://www.amazon.com/exec/obidos/tg/detail/-/0131711296/qid=1109692600/sr=1-4/ref=sr_1_4/102-6798587-2425763?v=glance&s=books

http://www.amazon.com/advanced-javascript-3rd-chuck-easttom/dp/1598220330/ref=sr_1_11/103-3324273-4990262?ie=utf8&s=books&qid=1189002740&sr=1-11/chuckeasttomsvisa/




http://www.amazon.com/exec/obidos/tg/detail/-/1584502371/qid=1051141828/sr=1-4/ref=sr_1_4/103-9033603-4060612?v=glance&s=books/chuckeasttomvisa/


http://www.amazon.com/exec/obidos/asin/155622852x/chuckeasttomsvisa/

http://www.amazon.com/exec/obidos/asin/1556229526/qid=1013201365/sr=8-3/ref=sr_8_67_3/002-4605658-0813645/chuckeasttomsvisa/




http://www.chuckeasttom.com/

mailto:[email protected]



About class

Text book Hacking Exposed Computer Forensics,Second Edition: Computer Forensics Secrets &Solutions

Publisher: McGraw-Hill Osborne Media; 2 edition

(September 10, 2009) ISBN-10: 0071626778

ISBN-13: 978-0071626774

It is also available via Kindle

Course is 21 hours



Computer Forensics Certifications

EC Council Certified Hacking Forensic Investigatorhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx

Certificate Forensic Computer Examiner (IACIS)

http://www.iacis.com/ Certified Computer Examiner http://www.isfce.com/

GIAC certified Forensics Examinerhttp://giac.org/certifications/forensics/

http://www.isfce.com/

http://giac.org/certifications/forensics/

http://giac.org/certifications/forensics/

http://www.isfce.com/



What is computer forensics?

Computer forensics is considered to be the use ofanalytical and investigative techniques to identify,collect, examine and preserve evidence/informationwhich is magnetically stored or encoded.

First Responders play a critical role. If you handlethe situation wrong at the outset, it may beimpossible to prosecute the perpetrators.



What is computer forensics (continued)

“If you manage or administer information systems andnetworks, you should understand computer forensics.Forensics is the process of using scientific knowledgefor collecting, analyzing, and presenting evidence to

the courts. (The word forensics means “to bring to the court.” ) Forensics deals primarily with the recovery

and analysis of latent evidence. Latent evidence cantake many forms, from fingerprints left on a window to

DNA evidence recovered from blood stains to the fileson a hard drive.” -http://www.us-cert.gov/reading_room/forensics.pdf



Computer forensics

Science of investigation Forensics process

Preparation

Collection

Analysis Reporting



Types of Investigations

(found in chapter 1 of hacking Exposed ComputerForensics Second Edition)

Theft of trade secrets

Corporate malfeasance

External Breach Civil discovery

Criminal Investigations

Computer crimes Terrorism

Child Pornography



The investigator

Investigator Bias Qualifications

Training

Certifications

CHFI, GIAC, Encase, CISSP Traits

Validation of findings

Proper handling of evidence

Complete investigation Technically competent

Compliance with laws



The lab

Chapter 3 of the Hacking Exposed ComputerForensics book)

Spoliation of evidence from environment

Temperature control

Fire and power protection Flood protection

Spoliation of evidence via network

isolation

Spoliation of evidence via physical access Locks

Evidence lockers



Proper Case Management

Follow the law

Follow good practices

Confidentiality

DOCUMENT DOCUMENT DOCUMENTDOCUMENT



Evidence gathering principles

Touch as little as possible

Establish clear procedures

Document everything

Use tested and accepted techniques and tools

The process is:

Identify Collect & preserve

Analyze

Present



Forensics Guidelines

1) Make a digital copy of the original evidence.Investigators make a copy of the evidence and workwith the copy to reduce the possibility of inadvertentlychanging the original evidence.

2) Authenticate that the copy of the evidence.Investigators must verify the copy of the evidence isexactly the same as the original.

3) Analyze the digital copy. The specific procedures

performed in an investigation are determined by thespecific circumstances under which the investigation isoccurring.



Document Damages

Another important step is to document the specific lossessuffered due to the attack. Losses typically include:

Labor cost spent in response and recovery. (Multiply thenumber of participating staff by their hourly rates.)

If equipment was damaged, the cost of that equipment. If data was lost or stolen, what was the value of that

data? How much did it cost to obtain that data and howmuch will it cost to reconstruct it?

Any lost revenue including losses due to down time,having to give customers credit due to inconvenience, orany other way in which revenue was lost.

Documenting the exact damages due to the attack is just

as important as documenting the attack itself .



Warrants

According to the Supreme Court, a "'seizure' of property occurs when there

is some meaningful interference with an individual's possessory interests inthat property, "United States v. Jacobsen, 466 U.S. 109, 113 (1984), and theCourt has also characterized the interception of intangible communicationsas a seizure in the case of Berger v. New York , 388 U.S. 41, 59-60 (1967).Now that means that law enforcement need not take property in order for itto be considered seizure. Merely interfering with an individuals access to hisor her own property constitutes seizure. And Berger v. New York extends thatto communications. Now if law enforcements conduct does not violate aperson's "reasonable expectation of privacy," then formally it does notconstitute a Fourth Amendment "search" and no warrant is required. Nowthere have been many cases where the issue of reasonable expectation ofprivacy has been argued. But to use an example that is quite clear, if I savea message in an electronic diary I clearly have a reasonable expectation ofprivacy, but if I post such a message on a public bulletin board, I can haveno expectation of privacy. In less clear cases a general rule is that courtshave held that law enforcement officers are prohibited from accessing andviewing information stored in a computer if it would be prohibited from

opening a closed container and examining its contents in the same situation.



Warrants Continued

In computer crime cases, two consent issues arise particularly often.

First, when does a search exceed the scope of consent? Forexample, when a person agrees to the search of a location, forexample their apartment, does that consent authorize the retrieval ofinformation stored in computers at the location? Second, who is theproper party to consent to a search? Can roommates, friends, and

parents legally grant consent to a search of another person'scomputer files? These are all very critical questions. That must beconsidered when searching a computer. In general courts have heldthat the actual owner of a property can grant consent. For example aparent of a minor child can grant consent to search the living

quarters and computers. However a roommate who shares rent canonly grant consent to search living quarters and computers that areco-owned by both parties. A roommate cannot grant consent tosearch the private property of the other person.



Chain of custody

Keep a record of Discoverer of the evidence

Collection location

Date and time of collection

Names of everyone who had access Names of everyone who “owned” the evidence



US Laws

TITLE 18 > PART I > CHAPTER 121

2703. Required disclosure of customer communications or records

http://www.law.cornell.edu/uscode/18/usc_sec_18_00002703----000-.html

TITLE 18 > PART I > CHAPTER 47

1029. Fraud and related activity in connection with access devices

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001029----000-

.html TITLE 18 > PART I > CHAPTER 47

1030. Fraud and related activity in connection with computers

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-

.html


http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001029----000-.html





















Other Federal Laws to know

The Electronic Communications Privacy Act of1986

The Communications Decency Act of 1996

No Electronic Theft Act of 1997

Digital Millennium Copyright Act Children's Internet Protection Act

CAN-SPAM Act of 2003

Identity theft Enforcement and Restitution Act of2008



File Systems

The general purpose of a file system is to handlefiles. This includes:

Managing access to files is an issue that is handled bythe file system.

Establishing who has access rights to a given file must bemanaged in some systematic manner. This includespermissions for reading, writing, and executing the file.

File system recovery (with Journaling File Systems)

.



File Systems - Journaling

Journaling is basically the process whereby the file system keeps a

record of what file transactions take place so that in the event of ahard drive crash the files can be recovered. Journaling file systemsare fault tolerant because the file system will log all changes to files,directories, or file structures. The log in which changes are recordedis referred to as the file systems journal. Thus the term journaling file

systems. There are actually two types of journaling: physical and logical. With

physical journaling, the system logs a copy of every block that isabout to be written to the storage device, before it is written. The logalso includes a checksum of those blocks, to make sure there is no

error in writing the block. With logical journaling only changes to filemetadata are stored in the journal.



File Systems FAT

FAT (File Allocation Table) is an older system, that was popular withMicrosoft operating systems for many years. FAT was first implemented in Microsoftstandalone Disk BASIC. FAT stores file locations by sector in a file calledeponymously, the File Allocation table. This table contains information about whichclusters are being used by what particular files, and which clusters are free to beused. The various extensions of FAT (FAT16, FAT32) differ in the number of bitsavailable for file names. For example FAT16 only supports 16 bit file names, whereas

FAT32 supports 32 bit file names. The hard drive is divided into one or more partitions. Each partition is then divided up

into identically sized clusters. Cluster sizes vary depending on the type of FAT filesystem being used and the size of the partition, but are usually between 2 KB and 32KB.

The File Allocation Table (FAT) is really a list of entries that map to each cluster on the

partition. Each entry records one of five things: The cluster number of the next cluster for this file.

If this cluster is the end of a chain, then it will have a special end of cluster chain (EOC) entry.

Bad clusters have a special entry in the File Allocation Table

Reserved clusters have a special entry in the File Allocation Table

Open, or available clusters, are also marked in the File Allocation Table

NOTE: Floppy disks use FAT 12



File Systems NTFS Microsoft eventually introduced a new file system, to replace FAT. This file system is

called New Technology File System (NTFS). This is the file system used by WindowsNT 4, 2000, XP, Vista, 7, Server 2003 and Server 2008. On major improvement ofNTFS over FAT was the increased volume sizes NTFS could support. The maximumNTFS volume size is 264−1 clusters. At of this writing, no version of Windows currently

supports volumes that large.

NTFS also introduced a number of other interesting features. Perhaps the most

notable is its support of the Encrypted File System (EFS). This allows the end user toeasily encrypt and decrypt individual files and folders.

There are several individual files that are key to this file system. Two of the mostfundamental are the MFT (Master File Table some sources call it the Meta File Table)file and the cluster bitmap. The MFT describes all files on the volume, including filenames, timestamps, security identifiers, and file attributes such as "read only","compressed", "encrypted", etc. This file contains one base file record for each file anddirectory on an NTFS volume. It serves the same purpose as the file allocation tabledoes in FAT and FAT32. The cluster bitmap file is a map of all the clusters on the harddrive. This is an array of bit entries where each bit indicates whether its correspondingcluster is allocated/used or free/unused.

Unlike FAT/FAT32, NTFS is a journaling file system, as we previously described.NTFS uses the NTFS Log ($Logfile) to record information about changes to the

volume



NTFS Continued

v1.0 with NT 3.1,

v1.1 with NT 3.5

v1.2 with NT 3.51 and NT 4

v3.0 from Windows 2000 ("NTFS V5.0" or "NTFS5")

v3.1 from Windows XP "NTFS V5.1"

Windows Server 2003 "NTFS V5.2“

Windows Server 2008 and Windows Vista (mid-2005) "NTFS V6.0“

Windows Server 2008 R2 and Windows 7 (occasionally "NTFS V6.1"

.



NTFS Files



File Systems EXT Extended File System, was the first file system created specifically for Linux. There

have been many versions of EXT, the current version is 4. The EXT 4 file system cansupport volumes with sizes up to 1 exabyte (1018 bytes or 1 billion gigabytes)and fileswith sizes up to 16 terabytes. This is frankly a huge file and volume size, and nocurrent hard drives come even close to that volume size. For an administrator, one ofthe most exciting features of EXT 4 is that it is backward compatible with EXT 2 and

EXT 3, making it possible to mount drives that use those earlier versions of EXT. EXT was not originally a journaling file system, but journaling was added in later

versions. Journaling was first introduced in EXT3. EXT 3 and 4 support three specifictypes of journaling. The most secure and safe level is called „journal‟. With the journal

level, metadata and file contents are written to the journal before being written to themain file system. The next level, slightly less secure than „journal‟ is called „ordered‟.

With this level only metadata is written to the journal. However, changes to files are

not journaled until they have been committed to the disk. Finally, the least secure levelis „writeback. Only metadata is written to the journal, and it might be written to the

journal before or after it is actually committed. EXT4 introduced checksums in the journal to prevent errors. EXT3 did not have check summing for the journal.



File Systems Reiser The Reiser File System is a popular journaling file system, used primarily with Linux.

Reiser was the first file system to be included with the standard Linux kernel, and firstappeared in kernel version 2.4.1. Unlike some file systems, Reiser supported

journaling from its inception, where as EXT did not support journaling until version 3.Reiser File System is open source and was invented by Hans Reiser.

Several Linux distributions have used Reiser as their file system including SuSE andDebian. However many of those distributions are moving away from Reiser because

its future development may be hampered. The problem is not with the file systemitself, but rather that the inventor, who was also responsible for supporting andupdating the file system, has been convicted of murdering his wife



File Systems Berkley Fast File Systems

The Berkley Fast File System is also known as theUnix File System. As its name(s) suggest it wasdeveloped at Berkley specifically for Unix. Like manyfile systems, Berkley uses a bitmap to track freeclusters, indicating which clusters are available andwhich are not. Like EXT, Berkley also includes theFSCK utility. This is only one of many similaritiesbetween Berkley and EXT. In fact some sourcesconsider EXT to just be a variant of the Berkley FastFile System



Types of Data

Active Data, is the information that you and I cansee. Data files, programs, and files used by theoperating system. This is the easiest type of data toobtain.

Archival Data, is data that has been backed up andstored. This could consist of backup tapes, CD's,floppies, or entire hard drives to cite a few examples.

Latent Data, is the information that one typically

needs specialized tools to get at. An example wouldbe information that has been deleted or partiallyoverwritten.



Basics

Secure

Scene

Personnel

preserve

Document Document the items

Document the procedures

Preserve chain of custody

Attention to detail



Make a forensic copy

Don‟t analyze the actual drive in question.

Make a forensic copy.



At the scene

Immediately determine if a destructive program isrunning on the computer. If one is running, theinvestigator should pull the power plug. This willensure no further evidence is lost. Place tape acrossall open disk drives so that no media is inadvertentlyplaced in the disk drives. The system date and timeshould be collected from the BIOS setup. This timeshould be compared with a reliable time source (e.g.,one synchronized with an atomic clock), and any

discrepancies noted. This may be important if it isnecessary to correlate events between two computers,or between the activities of a user and the times

associated with particular files on the computer.



At the scene continued

Document the computer and its surroundings

Use video tape if available

If the computer is running, take a photograph of thescreen.

Take photographs of the front, side, and back of thecomputer.

Note any and all connected devices

Physically open the computer and take photographsof the inside of the computer



Making a forensic copy of the drive

Knoppix security distribution http://s-t-d.org/

Penguin sleuth kit http://www.linux-forensics.com/

Forensically wipe the destination drive

A forensic wipe can be accomplished with the dd

command: dd if=/dev/zero of=/dev/hdb1 bs=2048

Verify via grep

grep –v „0‟ /dev/hdb1

http://s-t-d.org/

http://www.linux-forensics.com/




http://s-t-d.org/

http://s-t-d.org/

http://s-t-d.org/

http://s-t-d.org/

http://s-t-d.org/



dd

dd is a common Unix program whose primary purpose isthe low-level copying and conversion of raw data

The name is an allusion to mainframe JCL DDstatement.

It is jokingly said to stand for "disk destroyer", "datadestroyer", or "delete data", since, being used forlow-level operations on hard disks, a small mistake,such as reversing the if and of parameters, can

possibly result in the loss of some or all data on adisk



Making a forensics copy (continued)

Netcat reads and writes bits over a network connection.The command to run on the forensics server is:

# nc –l –p 8888 > evidence.dd

This sets up the listen process on the forensics serve priorto sending the data from the subject‟s computer. On the

subject‟s computer we use the dd command to read the

first partition:

# dd if=/dev/hda1 | nc 192.168.0.2 8888 –w 3

We pipe the output of the dd command to netcat , whichsends the bits over the network to the specified networkaddress and port on our listening forensic computer.

The argument –w 3 indicates that netcat should wait 3seconds before closing the connection upon finding no

more data.



Calculate the hash

After we create the image we must verify its integrity.You must calculate the hash of the source hard driveby issuing the following command from the subject‟s

computer:

# md5sum /dev/hda1 | nc 192.168.0.2 8888 –w 3

This command calculates the MD5 hash of the sourcehard drive and pipes the results over the network to

our forensic server



Compare the hash

We capture this information by setting up a listening process on the

forensic computer as demonstrated in the first command below:

# nc –l –p 8888 >> evidence.md5

The command

# md5sum evidence.dd >> evidence.md5

calculates the MD5 hash of our forensic image and appends it to thepreviously created MD5 file. The “>>” command appends the output of

the command to an existing file.

WARNING: If we were to use a single “>” the file evidence.md5 would

have been overwritten by the output of the command, rather than

appended.If our hashes match then the imaging was successful and analysis canbegin



What to check

Files

Browser

System logs

Deleted files



Handling Images as evidence

Preserve the original digital image. This is critical.You may need to enhance images to see somedetail, but that enhancement should be done to acopy. You should retain the original image exactly asyou found it. The original file must never be writtenover or deleted

Preserve images in their original format.



Undelete files- Undelete plus

Undelete Plus is available from http://www.undelete-plus.com for $29.95. What makes this tool worthy ofmention is that it is very easy to use. You simplyselect a drive, and click the scan button and it will listany deleted files it finds.

http://www.undelete-plus.com/







Undelete files - DiskDigger

This product is available athttp://dmitrybrant.com/diskdigger and is freeware.This makes it an attractive product. The site doesaccept donations, but you are free to download anduse this product at no charge. This utility has awizard interface that walks the user through theprocess

http://dmitrybrant.com/diskdigger

http://dmitrybrant.com/diskdigger



Lab 1

Use Disk Digger to recover files from your computer

Estimated time: 20 minutes



Video

Encase Demo

http://www.youtube.com/watch?v=O4ce74q2zqM

http://rds.yahoo.com/_ylt=A0geuvVEAjlMcyAAaBJXNyoA;_ylu=X3oDMTB0YjdiYnJlBHNlYwNzYwRjb2xvA2FjMgR2dGlkA1IyMDZfMTMy/SIG=1jf7rsgsc/EXP=1278890948/**http%3a//images.search.yahoo.com/images/view%3fback=http%253A%252F%252Fsearch.yahoo.com%252Fsearch%253Fei%253DUTF-8%2526p%253Dvideo%252Bicon%26w=80%26h=83%26imgurl=www.southernartistry.org%252Fgraphics%252FVideo_icon.jpg%26size=3kB%26name=Video%2bicon%2bjpg%250A%2b%2b%2b%2b%26rcurl=http%253A%252F%252Fwww.southernartistry.org%252Fartistcenter%252Ffaq.cfm%26rurl=http%253A%252F%252Fwww.southernartistry.org%252Fartistcenter%252Ffaq.cfm%26p=video%2bicon%26type=jpeg%26no=2%26tt=1%252C751%252C601%26oid=29a116bbd7ff0a0e%26tit=Video%2bicon%2bjpg%26sigr=11kt292kk%26sigi=11ggo92jh%26sigb=11krvogi2%26fr=my-myy



Forensic Tools

Encase

The Sleuth Kit http://www.sleuthkit.org/sleuthkit/

Helix http://www.e-fense.com/h3-enterprise.php

FREE 30 Day trial

The Disk Investigatorhttp://www.theabsolute.net/sware/dskinv.html

Microsoft Computer Online Forensic EvidenceExtractor(COFEE)

http://www.microsoft.com/industry/government/solutions/cofee/

http://www.sleuthkit.org/sleuthkit/

http://www.e-fense.com/h3-enterprise.php

http://www.theabsolute.net/sware/dskinv.html





http://www.theabsolute.net/sware/dskinv.html






http://www.sleuthkit.org/sleuthkit/



Links

http://www.computerforensicsworld.com/ http://www.forensicswiki.org/wiki/Main_Page

http://www.computerforensics.com/

http://www.computerforensics.com/ FBI Computer Forensics

http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm

United States Secret Servicehttp://www.secretservice.gov/ectf.shtml

Federal Bureau of Investigationhttp://www.cert.org/tech_tips/FBI_investigates_cri

me.html

http://www.computerforensicsworld.com/

http://www.forensicswiki.org/wiki/Main_Page





http://www.secretservice.gov/ectf.shtml

http://www.cert.org/tech_tips/FBI_investigates_crime.html




http://www.secretservice.gov/ectf.shtml





http://www.forensicswiki.org/wiki/Main_Page

http://www.computerforensicsworld.com/



A collection of forensics tools

http://www.forensicswiki.org/wiki/Tools

lesson 1 introduction to digi forensics

Documents