Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Collection of Eviden..

advertisement 
Collection of Evidence
Computer Forensics 152/252
Ethical and Legal Requirements
for Collecting Evidence

Expectations of Privacy




Stems from the customs of the society.
Is an ethical right.
Is legally protected.
Can be modified or removed by company policy.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Ethical and Legal Requirements
for Collecting Evidence
Stated monitoring policy




Removes most legal and ethical problems.
Can explain the reasons behind the policy.
Can be formulated and discuss instead of a reaction in the heat
of the moment.
Can be (or its existence can be) advertised on login banners
that apply even to intruders through the indirect consent
doctrine.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Ethical and Legal Requirements
for Collecting Evidence

Monitoring and logging:


Results in computer records that are probably business
records, which makes it easy to admit them directly into
evidence.
If we only log during the incident, the records themselves might
not be admissible, however, system administrators could testify
based on them.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Evidence
Computer Evidence must be
 Admissible.
 Authentic.
 Complete.
 Reliable.
 Believable and Understandable.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Logging




Its cheap and easy.
Intruders are not always successful in erasing their traces.
Log records become business records and are easier
admitted into evidence.
Ideally, logs are on write once, read many devices.

In reality, one can come close to WORM.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Volatility



Volatility: evidence can degrade
Example: Evidence in RAM does not survive a power-off.
Example: network status changes when connections are
closed and new ones opened.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Volatility
Degrees of Volatility
1.
Memory
2.
Running processes
3.
Network state
4.
Permanent Storage Devices
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Reacting to Volatility

Plan



What evidence are you looking for.
Where can it be found.
How do you get it.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Reacting to Volatility

Unplug the power-plug (battery)


Destroys volatile evidence.
Preserves completely stored evidence at the point of seizure.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Reacting to Volatility

Graceful shutdown



Destroys volatile evidence.
Alters system files.
Allows for clean-up software to run.
Thomas Schwarz, S.J. SCU Comp. Eng. 2004
Reacting to Volatility

Unplug Network Cable



Removes access of an intruder to a system.
Alerts the intruder.
“Dead Man Switch” programs can destroy evidence.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Reacting to Volatility

Life Examination



Intruder with root privileges can watch.
System tools can be trojaned incl. booby-trapped
Use forensics tools on floppy / CD.

Does not work if system is root-kitted
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Reacting to Volatility



Know the trade-offs.
No good reasons for a graceful shutdown.
If life-investigation, then monitor network first.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Documentation and Chain of
Custody

Document each step in a forensics procedure.




Best, if automatically generated.
Use forensically sound tools.
“Two Pair of Eyes” integrity rule for data gathering.
Best: Clear Procedural Policy.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Do Not Alter Evidence
Evidence can be easily and inadvertently altered by the
forensics procedure:
 Use of improper tools like tar that alter file access times.
 Trojaned system utilities.
 Dead Man Switch


an intruder tool that changes files when the computer is no longer
connected to the internet
System Shutdown and Reboot.
Thomas Schwarz, S.J. SCU Comp. Eng. 2013
Cloud Computing


Allows hiding evidence successfully since account
generation is hidden
Corporate / Organizational Environment:

Prepare for Incidents


Logging of network connections
Install monitoring software on corporate computers in a high security
environment
Forensics Duplication
Storage Devices
Forensic Duplication

Creating a “mirror image” of a storage device such as a
disk drive

“Mirror” is considered bad language since a mirror actually
changes dexterity
Forensics Duplicates as Admissible
Evidence


Federal Rules of Evidence §1002 requires an original to
prove the content of a writing, record, or photograph.
Follows from the best evidence rule: Copying can
introduce errors.
Forensics Duplicates as Admissible
Evidence

F.R.E. §1001 (3)
If data are stored in a computer or similar device, any printout
or other output readable by sight, shown to reflect the data
accurately, is an "original".
Forensics Duplicates as Admissible
Evidence

Federal Rules of Evidence § 1003
A duplicate is admissible to the same extent as an original
unless (1) a genuine question is raised to the authenticity of
the original or (2) in the circumstances it would be unfair to
admit the duplicate in lieu of the original.
Forensics Duplicates as Admissible
Evidence

As familiarity with digital data increases, behavior of the
judicial system will increase in rationality.
Reasons for Forensics Duplication


The examination can destroy evidence inadvertently.
The original computer system might only be available for
capturing.
Definition of Forensic Duplication
Able to produce identical byte stream from duplicate as
from the original.
Definitions


Forensic Duplicate: File that contains every bit of
information from the source in a raw bitstream format.
Qualified Duplicate: Same as above, but allows embedded
metadata or certain types of compression.
Definitions

Restored Image: A forensic duplicate or qualified forensic
duplicate restored to another storage medium.

Difficult to do if second hard drive does not have the same geometry
as the previous one.
Definitions

Mirror Image
created from hardware that does a bit-to-bit copy from
one hard drive to another.

Issue with disk and file system metadata such as boot
sectors.
Creating a Forensics Duplicate of a
Hard Drive


Hardware
Mirroring.
Can be
done in the
field.
Creating a Forensics Duplicate of a Hard
Drive

Hardware Imager

Creates forensic duplicate from suspect drive to evidence
drive


Sector by Sector Copy
Needs


(Integrated) Write Blocker
Verification of copy



MD5, SHA1 of complete copy
Logging of results
Deal with operation errors

Confusion between suspect and evidence drive
Creating a Forensics Duplicate of a Hard
Drive

Current and Future Issues

Large data size


Storage crosses devices


Read errors become more likely
RAID Level 5, 6
Need for acquisition from a life system
Creating a Forensics Duplicate of a Hard
Drive
Software tools: Unix dd
 Tested and proven.
 Runs on Unix/Linux/Mac OS X which can recognize
almost any hardware.
 Free.
Creating a Forensics Duplicate of a Hard
Drive
Software tools: Encase
 Expensive.
 Full Suite of Forensics Tools.
 Great Market Penetration.
 Based on Windows, which can be a problem, since
Windows might “discover” a drive connected to the
system.
Creating a Forensics Duplicate of a Hard
Drive




Software Tools: Safeback
Specialized Imaging Tool.
Uses DOS
Target Drive needs FAT 32.
Creating a Forensics Duplicate of a Hard
Drive

FTK

Drive Duplication tool included in the Forensic Tool Kit
Write-blocking

Software or hardware tool that prevents writes to a
disk.


Software tools are hard to validate.
All forensics tools need to be validated before use.


Manufacturers offer expert testimony when tools are challenged
Forensics institutes publish test results



Test images at Purdue
Examiners might to do some testing as well.
Publication in peer-reviewed journals increases value of testimony
Write-blocking

Hardware write blocking



Simple device put between the disk and the interface.
Allows acknowledgments of writes to the system on which the
drive is mounted, but does not write.
Easy to validate by design and experiment
Write-blocking

Hardware write blocking


Use hardware write blocking devices as a standard means to
prevent overwriting evidence when making a forensic duplicate
Keep a variety of hardware blockers around because they do
not always work.

(System does not recognize drive).
Equipment Needs




Set of write blockers
Set of cables, converters, …
Forensics portable (usually not laptop) for software
acquisition
Hardware duplicator
NIST



http://www.cftt.nist.gov/
Digital Data Acquisition Tool Test Assertions and Test Plan
Digital Data Acquisition Tool Specification
Disk Imaging Specifications 3.1.6






The top-level disk imaging tool requirements are the following:
The tool shall make a bit-stream duplicate or an image of an original disk
or partition.
The tool shall not alter the original disk.
The tool shall be able to verify the integrity of a disk image file.
The tool shall log I/O errors.
The tool’s documentation shall be correct.
Solid State Disks Forensics
Solid State Disks Forensics

Solid State Disks

Fundamental issues:



Storage areas need to be erased before they can be overwritten
The number of write-erase cycles is limited
Common Solution



Flash Translation Layer
Wear leveling
Garbage Collection
Solid State Disks Forensics

Data is arranged in pages, which are arranged in erase
blocks
Erase Block
Erase Block
Erase Block
Page 0
Page 4
Page 8
Page 1
Page 5
Page 9
Page 2
Page 6
Page 10
Page 3
Page 7
Page 11
Solid State Disks Forensics


Pages are individually read and written
All pages in a block need to be erased
Solid State Disks Forensics

Flash Translation Layer



Address indirection between virtual and physical pages
System presents an image of written and free pages to the
interface
System itself allocates pages in different physical locations
Solid State Disks Forensics

Flash Translation Layer

Example: Update page 19874





System reads old page 19874 in a memory buffer
Client changes contents and saves
System writes contents in a new page
Updates translation table to remember the physical address of page
19874
Resets valid flag for the old physical page 19874
Solid State Disks Forensics

Flash Translation Layer

Wear Leveling:


System maintains a count of erasures for an erase block
Tries to allocate new pages in erase blocks with low count of erasures
Solid State Disks Forensics

Flash Translation Layer

Garbage Collection



System needs to find space for new data
Needs to erase erase-blocks
If all erase-blocks have valid pages in them:




Find erase-block with few valid pages
Copy valid pages into pages in other erase-blocks and mark the current
physical pages invalid
Erase the now empty erase-block
Garbage collection process can begin process of emptying erase
blocks in anticipation
Solid State Disks Forensics

Consequences for forensic duplication


There is no good way to access physical pages
The data in empty logical pages can change through garbage
collection whenever the SSD is powered on:




Other page was written into the logical page and the page became
valid
The logical page was physically relocated and possibly erased
One can no longer prevent changes to the device
One cannot calculate a hash of the contents, then duplicate,
then compare the hash
Related documents
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
Digital Forensics and Cyber Psychology
Digital Forensics and Cyber Psychology
Wildlife Forensics
Wildlife Forensics
Information Systems and Internet Security (ISIS) Lab Some Recent
Information Systems and Internet Security (ISIS) Lab Some Recent
IRP 4 Forensics
IRP 4 Forensics
SE00 - 台灣大學地質科學系
SE00 - 台灣大學地質科學系
cfintro
cfintro
Chapter 13: Advanced Security and Beyond
Chapter 13: Advanced Security and Beyond
MadliKajuSlides
MadliKajuSlides
Taib investigation CC#98
Taib investigation CC#98
Download
advertisement