Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

Dead-box and Live-box analysis - PSNA CET

Forensic Analysis
By
Mrs. T. Hemalatha,
Associate Professor
Department of Computer Science & Engineering
4/13/2015
1
Cyber Crime
• Computer crime, or Cyber crime, refers to any
crime that involves a computer and
a network. The computer may have been used
in the commission of a crime, or it may be the
target.
• Netcrime refers to criminal exploitation of the
Internet.
4/13/2015
2
Overview of Presentation
• Why is Evidence identification and
Preservation required?
• Who benefits from Computer Forensics?
• General Types of Forensic Examinations
requested.
• Process of Forensics.
• Tools of the trade.
• What is the Examiner looking for?
4/13/2015
3
Why is Evidence important?
• In the legal world, Evidence is EVERYTHING.
• Evidence is used to establish facts.
• The Forensic Examiner is not biased.
4/13/2015
4
Who needs Computer Forensics?
•
•
•
•
The Vicitm!
Law Enforcement
Insurance Carriers
Ultimately the Legal System
4/13/2015
5
Who are the Victims?
• Private Business
• Government
• Private Individuals
4/13/2015
6
Cybercrime
• Offences that are committed against individuals or
groups of individuals with a criminal motive to
intentionally harm the reputation of the victim or
cause physical or mental harm to the victim directly or
indirectly, using modern telecommunication networks
such as Internet (Chat rooms, emails, notice boards
and groups) and mobile phones (SMS/MMS)".
• Such crimes may threaten a nation’s security and
financial health
• Ex. Cracking, Copyright Infringement, Loss or
interception of Confidential Information etc.
4/13/2015
7
Computer Forensics
• Is to examine digital media in a forensically
sound manner
• with the aim of identifying, preserving,
recovering, analyzing and presenting facts and
opinions about the information.
4/13/2015
8
Digital Forensics
• Goal
– Computer forensics is to perform a structured
investigation while maintaining a documented
chain of evidence to find out exactly what
happened on a computing device and who was
responsible for it.
– Computer forensics is the application of
investigation and analysis techniques to gather
and preserve evidence from a particular
computing device in a way that is suitable for
presentation in a court of cyber law.
4/13/2015
9
Digital Forensics
• Used for various purposes
– Investigating Cyber Crimes
– Internal Policy Violations
– Reconstructing Computer Security Incidents
– Troubleshooting Operational problems
– Recovering from accidental system damage
4/13/2015
10
Some litigations
•
•
•
•
•
•
•
•
•
Civil Matters
Breach of Contract
Asset recovery
Breach of Confidence
Breach of securities industry legislation and regulation and /or
Companies Acts
Employee disputes
Copyright and other intellectual property disputes
Consumer Protection law obligations (and other examples of
no-fault liability)
Data Protection law legislation
4/13/2015
11
Criminal Matters
•
•
•
•
•
•
•
•
•
Theft Acts, including deception
Criminal Damage
Demanding money with menaces
Companies Law, Securities Industry and banking offences
Criminal offences concerned with copyright and intellectual
property
Drug offences
Trading standards offences
Official Secrets
Computer Misuse Act offences
4/13/2015
12
Phases involved in examination
• Collection
Identifying, labeling, recording, and acquiring data from the
possible sources of relevant data, while following
procedures that preserve the integrity of the data.
• Examination
using a combination of automated and manual methods,
and assessing and extracting data of particular interest,
while preserving the integrity of the data
• Analysis
Analyzing the results of the examination, using legally
justifiable methods and techniques, to derive useful
information
• Reporting
Reporting the results of the analysis
4/13/2015
13
Investigators
• use a variety of techniques and proprietary
software forensic applications to examine the
copy, searching hidden folders and
unallocated disk space for copies of deleted,
encrypted, or damaged files. Any evidence
found on the digital copy is carefully
documented in a "finding report" and verified
with the original in preparation for legal
proceedings
that
involve
discovery,
depositions, or actual litigation
4/13/2015
14
• Computer Forensic Analysis and Incident
Response will help to determine
– How did the breach occur?
– What systems were compromised?
– What did they take? What did they change?
– How do we remediate the incident?
• Incident responders should be armed with the
latest tools, memory analysis techniques, and
enterprise scanning methodologies in order to
identify, track and contain advanced
adversaries, and remediate incidents.
4/13/2015
15
Computer Forensics Methods (1)
• safe seizure of computer systems and files, to avoid
contamination and/or interference
• safe collection of data and software
• safe and non-contaminating copying of disks and other data
media
• reviewing and reporting on data media
• sourcing and reviewing of back-up and archived files
• recovery / reconstruction of deleted files - logical methods
• recovery of material from "swap" and "cache" files
• recovery of deleted / damaged files - physical methods
4/13/2015
16
Computer Forensics Methods (2)
• core-dump: collecting an image of the contents of the active
memory of a computer at a particular time
• estimating if files have been used to generate forged output
• reviewing of single computers for "proper" working during
relevant period, including service logs, fault records, etc.
• proving / testing of reports produced by complex client /
server applications
• reviewing of complex computer systems and networks for
"proper" working during relevant period, including service
logs, fault records, etc.
• review of system / program documentation for: design
methods, testing, audit, revisions, operations management.
4/13/2015
17
Computer Forensics Methods(3)
• reviewing of applications programs for "proper" working
during relevant period, including service logs, fault records,
etc.
• identification and examination of audit trails
• identification and review of monitoring logs
• telecoms call path tracing (PTTs and telecoms utilities
companies only)
• reviewing of access control services - quality and resilience of
facilities (hardware and software, identification /
authentication services)
• reviewing and assessment of access control services - quality
of security management
• reviewing and assessment of encryption methods - resilience
and implementation
4/13/2015
18
Computer Forensics Methods (4)
• setting up of pro-active monitoring in order to detect
unauthorised or suspect activity
• monitoring of e-mail
• use of special "alarm" or "trace" programs
• use of "honey pots"
• inter-action with third parties, e.g. suppliers, emergency
response teams, law enforcement agencies
• reviewing and assessment of measuring devices, etc. and
other sources of real evidence, including service logs, fault
records, etc.
• use of routine search programs to examine the contents of a
file
• use of purpose-written search programs to examine the
contents of a file
4/13/2015
19
Computer Forensics Methods (5)
• reconciliation of multi-source files
• examination of telecoms devices, location of associated
activity logs and other records perhaps held by third parties
• event reconstruction
• complex computer intrusion
• complex fraud
• system failure
• disaster affecting computer driven machinery or process
• review of "expert" or rule-based systems
• reverse compilation of suspect code
• use of computer programs which purport to provide
simulations or animations of events: review of accuracy,
reliability and quality
4/13/2015
20
Examination
•
•
•
•
•
•
•
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
4/13/2015
21
Examination Continued
•
•
•
•
•
•
•
Deleted/Hidden Files/NTFS Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
SIDS
Network Architecture/Trusted Relationships
4/13/2015
22
Off-Site Storage
•
•
•
•
“X-Drives”
FTP Links
FTP Logs
Shares on internal networks
4/13/2015
23
Toolkit requirements
• File Viewers
• Uncompressing Files
• Graphically Displaying Directory Structures
• Identifying Known Files
• Accessing File Metadata
4/13/2015
24
Protection
• Protect the integrity of the evidence. Maintain
control until final disposition.
• Prior to Booting target computer,
DISCONNECT HDD and verify CMOS.
• When Booting a machine for Analysis, utilize
HD Lock software.
4/13/2015
25
Operating system
• Volatile Data vs. Non Volatile data
• Focus on Volatile Data
– Contents of Memory - 3rd party utilities
– Network Configuration – ifconfig, ipconfig
– Network Connections - netstat
– Running Processes - ps
– Open Files - lsof
– Login Sessions
– Operating System Time – date,time,nlsinfo
4/13/2015
26
File System
•
•
•
•
File systems are designed to store files on media
Deleted Files
Slack Space
Free Space - is the area on media that is not allocated
to any partition; it includes unallocated clusters or
blocks
• Data might be hidden is through Alternate Data
Streams (ADS) within NTFS volumes - used to store
unnamed stream
• Renaming the files with inappropriate extensions – File
headers need to be analyzed to detect such attacks
4/13/2015
27
Network system Data
•
•
•
•
Packet sniffers
Wire shark
Traffic analyzer
NAT
4/13/2015
28
Application Data
• Configuration Files
• Log files
–
–
–
–
–
Event log
Audit Log
Error log
Installation log
Debugging log
• Types of application
– Local or client server or peer to peer
– Web application
• Trusted or Malware analysis
4/13/2015
29
Log File Analysis
•
•
•
•
•
Events.
What Events are monitored?
What do the event records reveal?
Firewall/Router/Server log files?
Modem/FTP/Telnet
4/13/2015
30
Memory Forensics
• effective at finding evidence of worms, rootkits, and
advanced malware
• Identify Rogue Processes
• Analyze process DLLs and Handles
• Review Network Artifacts
• Look for Evidence of Code Injection
• Check for Signs of a Rootkit
• Acquire Suspicious Processes and Drivers
– STUXNET
– TDL3/ TDSS
– Zeus/Zbot
4/13/2015
31
Dead-box and Live-box analysis
•Dead Box Analysis – Accessing and analyzing
all the Non volatile Information
•Live Box Analysis - – Accessing and analyzing
all the volatile Information
•fdpro.exe was used to create a physical
memory from a Windows XP SP3 OS.
4/13/2015
32
Evidence Search
•
•
•
•
•
•
•
•
Image Files
Software applications
Deleted Files
Hidden Files
Encrypted Files
Hidden partitions
Keyword Search
Known Remote Access Tools
4/13/2015
33
Malicious code
• Investigators need to know if malicious code is
running on a suspect’s machine. Physical
memory analysis provides a new approach to
detecting rootkits and malicious code. This
capture shows HBGary Responder identifying
a hidden kernel driver called msdirectx.sys.
The process notepad.exe is hidden from the
system
4/13/2015
34
Evidence Processing Guidelines
• New Technologies Inc. recommends following 16
steps in processing evidence
• They offer training on properly handling each step
– Step 1: Shut down the computer
• Considerations must be given to volatile information
• Prevents remote access to machine and destruction of
evidence (manual or ant-forensic software)
– Step 2: Document the Hardware Configuration
of The System
• Note everything about the computer configuration
prior to re-locating
4/13/2015
35
Evidence Processing Guidelines (cont)
– Step 3: Transport the Computer System to A Secure
Location
• Do not leave the computer unattended unless it is locked in a
secure location
– Step 4: Make Bit Stream Backups of Hard Disks and Floppy
Disks
– Step 5: Mathematically Authenticate Data on All Storage
Devices
• Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
– Step 6: Document the System Date and Time
– Step 7: Make a List of Key Search Words
– Step 8: Evaluate the Windows Swap File
4/13/2015
36
Evidence Processing Guidelines (cont)
– Step 9: Evaluate File Slack
• File slack is a data storage area of which most computer users
are unaware; a source of significant security leakage.
– Step 10: Evaluate Unallocated Space (Erased Files)
– Step 11: Search Files, File Slack and Unallocated Space for
Key Words
– Step 12: Document File Names, Dates and Times
– Step 13: Identify File, Program and Storage
Anomalies
– Step 14: Evaluate Program Functionality
– Step 15: Document Your Findings
– Step 16: Retain Copies of Software Used
4/13/2015
37
4/13/2015
38
4/13/2015
39
4/13/2015
40
4/13/2015
41
4/13/2015
42
4/13/2015
43
4/13/2015
44
4/13/2015
45
NTFS Streams
The Forensic ToolKit 1.4 from NT OBJECTives, Inc.
Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved
AFind - File access time finder
SFind - Hidden data streams finder
HFind - Hidden file finder
4/13/2015
46
Typical CBD Files
4/13/2015
47
Imaging Software
4/13/2015
48
4/13/2015
49
Security Identifers
SIDS can be used to ID the perpetrator.
Security is used within Win2K to ID a user.
Security is applied to the SID.
4/13/2015
50
Where to find the SID
4/13/2015
51
4/13/2015
52
SID Structure
• Domain Identifier: All values in the series,
excluding the last value ID the Domain.
• Relative Identifier (RID) is the last value. This
ID’S the Account or Group
• S-1-5-21-838281932-18373095651144153901-1000
4/13/2015
53
Users
4/13/2015
54
4/13/2015
55
4/13/2015
56
4/13/2015
57
4/13/2015
58
4/13/2015
59
4/13/2015
60
4/13/2015
61
4/13/2015
62
Documentation
•
•
•
•
•
Document EVERYTHING
Reason for Examination
“The Scene”
Utilize Screen Capture/Copy Suspected files
All apps for Analysis/apps on Examined
system.
4/13/2015
63
Thank You
4/13/2015
64
Related documents
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
What is Computer Forensics?
What is Computer Forensics?
Wildlife Forensics
Wildlife Forensics
docx - Mickey Lasky
docx - Mickey Lasky
IRP 4 Forensics
IRP 4 Forensics
cfintro
cfintro
SE00 - 台灣大學地質科學系
SE00 - 台灣大學地質科學系
Expert Insights, Computer Forensics
Expert Insights, Computer Forensics
Digital Forensics and Cyber Psychology
Digital Forensics and Cyber Psychology
Digital…it`s how we live! - Expert Insights, Computer Forensics
Digital…it`s how we live! - Expert Insights, Computer Forensics
Information Systems and Internet Security (ISIS) Lab Some Recent
Information Systems and Internet Security (ISIS) Lab Some Recent
Chapter 13: Advanced Security and Beyond
Chapter 13: Advanced Security and Beyond
ISYS 377 CYBER FORENSICS COURSE SYLLABUS Spring 2014
ISYS 377 CYBER FORENSICS COURSE SYLLABUS Spring 2014
February 11, 2015
February 11, 2015
Download