An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department Topics What is Computer Forensics? Why do we need Computer Forensics? Live Analysis Versus Static Analysis Capturing a Drive Image The Organization of Hard Disks The Organization of File Systems Where’s the Data? Forensic Tools What is Computer Forensics? Computer Forensics is a process used to locate digital information that may be used to help prove guilt or innocence. Computer Forensics procedures must be properly followed to avoid contamination (altering) of the evidence (information). Very important to maintain the Chain of Custody. Why do we need Computer Forensics? Support law enforcement. Many types of documents are now stored electronically. Learn about the techniques used by cyber-criminals. Computers may be the instrument used in a crime or the victim of a crime. Live Analysis Versus Static Analysis Live Analysis: Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? Static Analysis: Forensics performed on a copy of the data from a system. This type of analysis is done most often. Live Analysis Things to record: System time and date. User’s logged on to the system. Open network connections. Network drives mapped to the system. Processes that are running. What is on the Desktop and Clipboard. Static Analysis Things to look for: Registry entries. Hidden files and folders, encrypted files. Images, emails, IM logs, other files. Misnamed files. Deleted files. Data in unallocated space and Slack space. Capturing a Drive Image A write-blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. Entire drive is imaged, including unallocated space, to a clean drive. Image must be verified to guarantee integrity. This is done using a hash function. Capturing a Drive Image One bit is a 0 or a 1. One byte is 8 bits. One KB (Kilo Byte) is 1024 bytes. One MB (Mega Byte) is 1024 KB. One GB (Giga Byte) is 1024 MB. A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). One TB (Terra Byte) is 1024 GB. Capturing a Drive Image Drive may be imaged via a USB or FireWire connection, or over the network. The size of the drive being imaged affects the time required to perform the capture. The speed of the connection also affects the time required to image the drive. A 500 GB drive may require 8 hours or several days to acquire. Image is Verified via a Hash The Organization of Hard Disks A hard disk contains one or more platters. Each platter contains two sides (surfaces). Each surface contains circular tracks divided into sectors. Each track may contain 64 sectors. Each sector contains 512 bytes of data. A 500 GB hard drive contains over 1 billion sectors. Typical Hard Drive Typical Hard Drive The Organization of Hard Disks The hard disk spins at a fast rate (5400 rpm or 7200 rpm). A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface. Data is transferred between the disk and main memory on the motherboard. The Organization of File Systems A File System is a logical way of organizing the sectors on a disk. Different Operating Systems support different file systems: • Windows: FAT and NTFS Linux: EXT3 Mac OS X: HFS+ FAT is the most widely supported file system. The Organization of File Systems Sectors on a disk are allocated as follows for the FAT (File Allocation Table) file system: Boot sector FAT sectors Directory sectors Data sectors Operation of FAT Challenges of FAT After a lot of use (files created, edited, and deleted) the FAT becomes very fragmented. Not easy to search through the FAT on a hard disk as it is very large. Need software to interpret the FAT for us. File slack may contain valuable data. Where is the File Slack? What Happens when a File is Deleted? The file’s entries in the FAT are set to ‘free.’ The file’s entry in the Directory has its first byte (letter) changed to an unprintable code (E5)… all other file properties stay the same. The data content of the file remains stored on disk until overwritten. A Sample Directory Where’s the Data? Registry. Files and folders. Deleted files. Unallocated space. Slack space. System files: HIBERFIL.SYS, INDEX.DAT, PAGEFILE.SYS. Forensic Tools Hex editor: Display, search, and modify hexadecimal data. Forensic analysis software: FTK (Forensic Toolkit) EnCase Autopsy X-Ways FTK (Forensic ToolKit) Forensic Tools Network traffic sniffer/analyzer Imaging software Hashing software Log file analyzer Steganography software Skills Needed by a Forensic Examiner Knowledge of Operating Systems. Knowledge of File Systems. Must understand networking and TCP/IP. Must possess necessary software for imaging and analyzing images. Must possess additional software such as hex editor, log file analyzer, etc. Lots of patience !!! Thank you! Questions? Contact Info: James L. Antonakos, Professor, CST antonakos_j@sunybroome.edu