Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Forensics

forensic & ediscovery practice tips

advertisement 
FORENSIC & EDISCOVERY
PRACTICE TIPS
Michael Nelson
08‐22‐2014
This is an interactive session, driven by you. This is by no means a comprehensive, authoritative or general session. If you have an opinion or question, DO NOT HESITATE TO CONTRIBUTE. If you have a specific question or would like to get granular or detailed, we can certainly do so. 2
Overview
• Digital Forensics / eDiscovery Practice Tips:
Learn about digital forensics and eDiscovery related to mobile devices, social media, physical infrastructure and the cloud. Areas such as data mapping, collection, metadata preservation and investigation will be touched on. Attendees will see the benefits and struggles associated with various network configurations and mobile device policies.
3
Who’s Data is it? Do you have Permission?
• Just because you have a device in hand does not give you the permission to look at it!
• Who Owns the Equipment?
• Who Owns the Data?
• Is It a Gray Area?
• Is there Questionable Material on the Device? (CP)
• Are you Liable for What Is or Is Not Found or Condition of Equipment?
• Protect Yourself – Always have an agreement covering these topics
4
Bring Your Own Device
• Blurring Lines on Device/Data Ownership
• Access to Device Outside Business Hours (Black Bag Job)
• Access to Device After Termination
• Remote Wiping
• Password Protection
• Photos / Cloud Data Storage / Local Device Storage / Personal Email Accounts
• Cell Network Not Subject to Company Filtering (w/out MDP/MDM)
5
Company Handbook
• Should define policies on uses of company technology resources and data
• Expected Right To (or Lack There of) Privacy
• Mobile Device Policy / Usage
• BYOD – Company Data
• Social Media Policies
• Consult Legal Counsel
6
Pre Forensics/Investigation – Data Mapping
•
•
•
•
•
•
•
•
What Data Is Crucial
Where Does It Reside
Alternate Locations For Data
Deleted Data
Backed Up Data
Ownership of Data – Cloud / BYOD
Encryption
Procedure for Capturing
7
8
How Much Data Is It?
Average Average Average Average Document Type Pages/Doc
Pages/GB
Docs/GB
Boxes/GB
MS Word Files
9
64,782
7,198
Email Files
1.5
100,099
66,732
MS Excel Files
50
165,791
3,316
Lotus 1‐2‐3 Files
55
297,317
5,406
MS PowerPoint Files
14
17,552
1,254
Text Files
20
677,963
33,898
Image Files
1.4
15,477
11,055
26
40
66
119
7
271
6
Source: Lexis Nexis
9
Forensics Phases
•
10
Phase I
– Preservation
• Photograph / Document
– Make, Model, Serial Number, Date/Time, damaged, removable media, Location, Individuals involved, Chain of custody
• Imaging Techniques and Times (Why drive size and machine type matters)
– Hard Drive Accessible & Removable » LogiCube Dossier ~5GB per minute (hashing/verification)
– Hard Drive Not Accessible
» Boot CD, Live Imaging, Network Data
• Various tools ~1GB per minute (plus verification)
• Should always ask about encryption as it can change the above processes significantly
Forensics Phases – Cont.
• Phase II
– Working Copies / Pre‐processing
• Creating a working/backup forensic image
• FTK / EnCase / IEF Processing
– Hashing, Expanding compound files, File Signature Analysis, Indexing, Internet History Extraction
• Phase III
– Investigation
– Reporting
– Consulting
• Phase IV
– Affidavit / Deposition / Testify
11
Collection / Forensic Imaging
• Self Collection Vs. Professional
• Need to ensure proper evidence handling of digital evidence before investigation begins or data is turned over
– Preservation (Forensic Imaging)
– Verification of Data
– Authenticity of Data
– Integrity of Data
– Chain of Custody
• What procedures were followed in providing you with data?
– Is person trained / qualified to perform the work?
– Can this be testified to?
– Can this be refuted? 12
Chain of Custody
13
Collection – Hard Drive / Targeted
• Forensic Image v. Custom Content Imaging (Targeted Collection)
• Live v. Offline
• RAID
• SSD
14
Encrypted Hard Drives / Files
• BitLocker – Enterprise & Ultimate Editions of OS – Off by Default
• USB Key OR Password/Passcode
• Server 2008 Active Directory
– Recovery Password
– TPM Owner Password
– Information required to identify computer and volumes recovery info applies to
– Stored in Unencrypted Format
• Live System – Steal From Memory Image
15
BitLocker To Go
• Encrypt removable devices
• Windows gives ability to store information to auto decrypt and mount without having to store the password
• Registry Key – FveAutoUnlock
• Virtual Mount Machine Image and attach copy of BitLocker To Go Drive to auto unlock
16
Password/Encryption Cracking/Bypassing
• Windows Passwords
• File Passwords
• Encrypted Files / Volumes – (Memory Image is Crucial)
• Decrypt File Attacks
– Attack on data not password
• Brute Force
• http://www.lostpassword.com/recovery‐options‐
forensic.htm
– QBW/QBA – Instant Removal
17
Remote Data Collection
18
Collection ‐ Email
• Where does the mail exist –
POP/IMAP/Exchange
• Targeted Collection – Outlook PST, Mac Mail EML/EMLX, MBOX
• As Part of Full Forensic Image of Workstation/Laptop
• Extract from Exchange – ExMerge, Powershell, Third Party Tools
• Collect / Process – EDB
19
Remote Email Collection (via MailStore)
Supported Email Systems
•
Exchange Server 2003, 2007, 2010 and 2013 (including Windows Small Business Server)
•
Hosted Exchange
•
Microsoft Office 365
•
MDaemon Messaging Server
•
IceWarp E‐Mail‐Server
•
Kerio Connect
•
Any IMAP/POP3‐compatible email server
•
Email clients such as Microsoft Outlook
•
PST and other email file formats
Tamper‐proofing
•
Generation of SHA1 hash values from email content
•
Internal AES‐256 encryption of email texts and attachments
•
No direct access by MailStore client components to the archive files
•
It is not possible to change email content, either in the graphical interface or in the internal program
Export Features
•
Exporting to an Exchange server or an IMAP mailbox
•
Sending emails to any email address via SMTP
•
Exporting to email clients (Microsoft Outlook, Windows Mail, Mozilla Thunderbird)
•
Exporting to the file system (generates either an .eml or .msg file for each email)
•
Exporting to an Outlook .pst file
20
Cloud Email Collection
• Legal Hold / Mailbox Search / Import/Export
• Google Apps – ediscovery.google.com
• Office365 – Discovery Management (In‐Place eDiscovery) – Also available in Exchange 2013
• SpamFilter/Online Mailbag • MailStore – Direct Pull From Mailboxes
• Individual Credentials V. Dedicated User Account
21
Mobile Device Collection and Limitations
•
•
•
•
•
•
•
•
•
•
Function as a Computer but Extremely Different in Way Collected and Expertise in Investigating Always On / Constantly Changing / Constant Network Communication
– Faraday Box/Bag / Air Plane Mode / Phone / Internal Memory / SD Card(s) / SIM Card(s) / Cloud Data
Standard Data Copying Will Not Cut It
Device May Only Sync a Limited Time Period
Imaging in Parts
Built‐In / Third Party – Backups (Also Look For Existing Backups)
Tools to Physically/Logically Image – Cellebrite / XRY / MPE+
iPhone 4S & Newer (many iPad models as well) – Physical Imaging NOT Possible
– No Access to Email
Forensic Community Lags Smart Phone Releases
22
Mobile Device Passcode Bypassing
• Bypassing – Bootloader (Galaxy S4, iPhone Models Prior to 4S)
• Using Data From Paired Computers – iOS – Trusted Paired Computer .plist
• Disabling – Delete Essential File for Locking Mechanism (Samsung Android)
– Any entered password is accepted (disabling and re‐enabling lock feature returns to normal)
• Extracting/Revealing – Manufacture Back Door Query for Password
• Smear Pattern
• Brute‐Force
• JTAG / Chip‐Off
23
Mobile Device Policies & Mobile Device Management Warning
• Remote Wipe – Pros V. Cons
• Remote Locking
• Location Services – Lost / Stolen
24
Collection – Social Media
• Social Media Affects Your Life / Business / Court Case
• Girl Costs Father 80K Settlement w/ Facebook Post
– http://www.cnn.com/2014/03/02/us/facebook‐post‐costs‐
father/
• Chrysler Drops F‐Bomb on Twitter
– http://www.huffingtonpost.com/2011/03/09/chrysler‐
twitter‐account‐_n_833571.html
• X1 ‐ Facebook, Twitter, Instagram, LinkedIn & Websites & Web‐Based Email (Gmail, Yahoo, Outlook, IMAP)
– One time capture / Monitor
– Fully Indexed & Searchable
– Validated w/ MD5
25
Collection – Cloud Data Storage
• Google Drive
• Dropbox
• MS OneDrive
• Web Interfaces / Logs / Permissions /Download Data / Sync & Collect /
26
Collection ‐ Misc
• Routers / Switches / Firewalls
• Medical Devices
• Command Line / Device Configuration Files / Log Files / Connection Details
27
Computer Based Artifacts
• Data Files – Office, Email, PDF, Graphics
• Event Logs
– Are you logging enough information?
•
•
•
•
Short cuts / link files
Jump lists
Prefetch files
Windows 8 – File History (Including Deleted) – If Enabled
– Local Cache if Removable/Remote Device Not Available
28
Metadata
•
File System Metadata
– Created / Accessed / Modified Dates
•
File Metadata – Office Documents
• Author Information / Time Spent Editing / Revisions / Printed / etc
– Email
• To / From / CC / BCC / Submit Time / Deliver Time
– Trash Can
• User Account that Deleted / When Deleted / Where Originally Located
29
Metadata Cont.
•
•
•
Programs / Applications
– Installed date
– Number of times run
– Stored information and options / preferences
Removable Devices
– Make, model, driver information
– First & last time connected
– Assigned drive letter
Printer Information
– Installed printers
– Print job details
– Printed items
– Graphic Representation
30
Misleading Information
• If the operating system is Windows Vista, 7, or 8, by default the Last Access Dates are not changed when the file is actually accessed. The Last Access Date will match the File Created Date.
– XP – controlled by a registry and can be changed
• Metadata can be altered
– Editing Directly In Document, Third Party Tools, Changing Date/Time on Computer
• Modification Date Before Creation Date
• Do you have the full picture (computer, logs, various versions)
31
Windows Registry Artifacts
• Typed URLs in browser
• Recently Viewed Documents / Browsed Folders
• Protected Storage Information – Form Data, Search Queries, Login Creds
• Mount Points & Mapped Drives
• OS Install Date, Registered Owner
• UserAssist – Programs Launched & Number of Times & Last Time
• Uninstalled Software
• Times Zone & Day Light Savings Info
• Last Proper Shutdown Time
• USB Device Details
• Network Setting & Connection Information
32
Internet History Evidence
33
In‐Private Browsing / Incognito Modes
•
•
•
Internet Explorer – Index.dat Still Used and Cache Still Written to Temporary Internet Files
• Simply shields the data from the User Interface
• Deleted upon closing browser – but disk is not wiped
• RAM / Pagefile will also contain history and is not affected by this process
• http://www.magnetforensics.com/how‐private‐is‐internet‐explorers‐inprivate‐browsing‐first‐define‐
private/?utm_source=hs_email&utm_medium=email&utm_content=10242384&_hsenc=p2ANqtz‐‐
GzebLmxY6kjptY_HLEXmmahd0ttITM‐
WSiFU1t_tCkPgQmtlXWl67oKLsPPaEzw3wjoTbh7oocVPT18K0aLpyTmsYiQ&_hsmi=10242384
Chrome – Data not written to SQLite DB files
• Collection of RAM & Pagefile are Key to Recovering
• http://www.magnetforensics.com/how‐does‐chromes‐incognito‐mode‐affect‐digital‐
forensics/?utm_source=hs_email&utm_medium=email&utm_content=10242384&_hsenc=p2ANqtz‐8EMhY‐
x6wdFhii7dV7bMZJeWXs46GGLYnPeBnuNImaZIE3Rq3rGnC2XqQAXBneFOuGfX7OklAFD4ARrNzCYcxIwpYRbA&_hsmi=
10242384
Firefox – Data not written to Disk Directly
• Collection of RAM & Pagefile are Key to Recovering
• http://www.magnetforensics.com/forensic‐implications‐of‐a‐person‐using‐firefoxs‐private‐
browsing/?utm_source=hs_email&utm_medium=email&utm_content=10242384&_hsenc=p2ANqtz‐‐wonntK‐
1T_jnyU0S7mdXRpiVx1fUg2FOSTG4Xf_W_njIyI0HqJZQpqo6L10nvuSNy6iiRHoxu6vN‐
Sw5ChMhH5H1iHw&_hsmi=10242384
34
Mobile Device Based Artifacts
• Call Details
• SMS / MMS Messages, iMessages, BBM
– Not Always on Phone Bill
• Visual Voicemail • Pictures / Video
– GPS Information
•
•
•
•
Location Information
Apps
Smart Phones are Computers w/ Phone Capabilities
SQLite
35
Mobile Device Artifacts
36
Mobile Device Apps
• Skype – Calls over Internet – Not on Phone Bill
• SnapChat – Pictures w/ Captions Sent & Deleted After Viewed
– Have been recoverable in past
– Popular in Financial Industry
– Adding chat and call features
• Cloud Data Storage Apps – Google Drive, Dropbox, etc.
– Upload / Download files
• Social Media Apps ‐ Can still access these networks over cell network even if company network is blocking
• Wireless Network Mapping Tools
37
Android – Malware in Plain Sight
38
Cloud Storage Artifacts
• Dropbox for Business – Activity Log
–
–
–
–
–
–
–
–
–
Sharing – sending out link to file or joining a folder
Password – changing password or two‐step verification
Logins / Login Failures
Admin Actions – shared folder permissions
App – linking of third party app to dropbox
Devices – computer or mobile device linked to account
Membership – someone joins or is removed from team
Deleted Data
Restored Data
• Google Apps – Reporting – New Feature – Growing number of logged events
39
Drive / Data Destruction
• Drive Wiping
• Drive Destruction
• Situations where information is overlooked
– Donating / Selling / Recycling / Trashing
• Sample data left behind on a hard drive
– Contacts / Credit Card Info / Passwords / Financial Data / Personal Information / Internet History
• Simple Data Deletion / CCleaner – Not Enough!
• Is Wiping Actually Occuring?
– Android – Recent News Articles – Security Wipe Not Preventing Data from Being Recovered
40
Memory Forensics
•
•
•
•
•
•
•
•
•
•
New Hot Area in Forensics
Contains Passwords
Contains Encryption Keys
Contains Running Processes
Contains Network Connection Information
Contains Internet Artifacts
Contains Event Logs
Contains Registry Entries
Contains Windows Services
Contains Disk Artifacts
41
The Future
Digital Forensics: A Billion‐Dollar Market in the Making
– http://www.inc.com/will‐yakowicz/digital‐forensics‐billion‐dollar‐
market.html
• Internet of Things
• Generate and leave a visible trail at every place we visit, on everything we touch, and with everything we do
• Therefore, in the next few years, we will be in a position in which every activity, including any law enforcement investigation, will have a digital forensics component. If you want to track a suspect, you're not going to do it the old‐fashioned way with DNA forensics. You will be doing digital forensics to see what the suspect was doing in the cloud, where the person's mobile device was located at what time and what he or she was doing, where the person's car had been. All these new applications of digital forensics will be pieces of evidence and will make the industry much bigger, more important, and more valuable in the next few years.
• Law Needs to Keep Pace w/ Technology
42
•
Insurance
• Cyber Liability
• Data Recovery / Disaster Recovery
43
Recommended Tools
Voltality – Memory Forensics
FTK Imager
EnCase Portable
X1 – Social Media / Websites / Email
MailStore ‐ Email
Passware Kit
EmailChemy – Convert between different email formats
• IEF – Internet Evidence Finder
• Cellebrite / XRY – Mobile Forensics
•
•
•
•
•
•
•
44
Recommended Literature
• Among Enemies
• File System Forensic Analysis
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
• EnCase Certified Examiner Study Guide
• Mastering Windows Network Forensics and Investigations
45
Discussion / Questions
46
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Computer and Digital Forensics Industry Overview
Computer and Digital Forensics Industry Overview
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
Establishing Secure and Trustworthy Computing in the
Establishing Secure and Trustworthy Computing in the
Course Syllabus Forensics Mr. LaChausse Room 123 Office Hours
Course Syllabus Forensics Mr. LaChausse Room 123 Office Hours
Download
advertisement