FORENSIC & EDISCOVERY PRACTICE TIPS Michael Nelson 08‐22‐2014 This is an interactive session, driven by you. This is by no means a comprehensive, authoritative or general session. If you have an opinion or question, DO NOT HESITATE TO CONTRIBUTE. If you have a specific question or would like to get granular or detailed, we can certainly do so. 2 Overview • Digital Forensics / eDiscovery Practice Tips: Learn about digital forensics and eDiscovery related to mobile devices, social media, physical infrastructure and the cloud. Areas such as data mapping, collection, metadata preservation and investigation will be touched on. Attendees will see the benefits and struggles associated with various network configurations and mobile device policies. 3 Who’s Data is it? Do you have Permission? • Just because you have a device in hand does not give you the permission to look at it! • Who Owns the Equipment? • Who Owns the Data? • Is It a Gray Area? • Is there Questionable Material on the Device? (CP) • Are you Liable for What Is or Is Not Found or Condition of Equipment? • Protect Yourself – Always have an agreement covering these topics 4 Bring Your Own Device • Blurring Lines on Device/Data Ownership • Access to Device Outside Business Hours (Black Bag Job) • Access to Device After Termination • Remote Wiping • Password Protection • Photos / Cloud Data Storage / Local Device Storage / Personal Email Accounts • Cell Network Not Subject to Company Filtering (w/out MDP/MDM) 5 Company Handbook • Should define policies on uses of company technology resources and data • Expected Right To (or Lack There of) Privacy • Mobile Device Policy / Usage • BYOD – Company Data • Social Media Policies • Consult Legal Counsel 6 Pre Forensics/Investigation – Data Mapping • • • • • • • • What Data Is Crucial Where Does It Reside Alternate Locations For Data Deleted Data Backed Up Data Ownership of Data – Cloud / BYOD Encryption Procedure for Capturing 7 8 How Much Data Is It? Average Average Average Average Document Type Pages/Doc Pages/GB Docs/GB Boxes/GB MS Word Files 9 64,782 7,198 Email Files 1.5 100,099 66,732 MS Excel Files 50 165,791 3,316 Lotus 1‐2‐3 Files 55 297,317 5,406 MS PowerPoint Files 14 17,552 1,254 Text Files 20 677,963 33,898 Image Files 1.4 15,477 11,055 26 40 66 119 7 271 6 Source: Lexis Nexis 9 Forensics Phases • 10 Phase I – Preservation • Photograph / Document – Make, Model, Serial Number, Date/Time, damaged, removable media, Location, Individuals involved, Chain of custody • Imaging Techniques and Times (Why drive size and machine type matters) – Hard Drive Accessible & Removable » LogiCube Dossier ~5GB per minute (hashing/verification) – Hard Drive Not Accessible » Boot CD, Live Imaging, Network Data • Various tools ~1GB per minute (plus verification) • Should always ask about encryption as it can change the above processes significantly Forensics Phases – Cont. • Phase II – Working Copies / Pre‐processing • Creating a working/backup forensic image • FTK / EnCase / IEF Processing – Hashing, Expanding compound files, File Signature Analysis, Indexing, Internet History Extraction • Phase III – Investigation – Reporting – Consulting • Phase IV – Affidavit / Deposition / Testify 11 Collection / Forensic Imaging • Self Collection Vs. Professional • Need to ensure proper evidence handling of digital evidence before investigation begins or data is turned over – Preservation (Forensic Imaging) – Verification of Data – Authenticity of Data – Integrity of Data – Chain of Custody • What procedures were followed in providing you with data? – Is person trained / qualified to perform the work? – Can this be testified to? – Can this be refuted? 12 Chain of Custody 13 Collection – Hard Drive / Targeted • Forensic Image v. Custom Content Imaging (Targeted Collection) • Live v. Offline • RAID • SSD 14 Encrypted Hard Drives / Files • BitLocker – Enterprise & Ultimate Editions of OS – Off by Default • USB Key OR Password/Passcode • Server 2008 Active Directory – Recovery Password – TPM Owner Password – Information required to identify computer and volumes recovery info applies to – Stored in Unencrypted Format • Live System – Steal From Memory Image 15 BitLocker To Go • Encrypt removable devices • Windows gives ability to store information to auto decrypt and mount without having to store the password • Registry Key – FveAutoUnlock • Virtual Mount Machine Image and attach copy of BitLocker To Go Drive to auto unlock 16 Password/Encryption Cracking/Bypassing • Windows Passwords • File Passwords • Encrypted Files / Volumes – (Memory Image is Crucial) • Decrypt File Attacks – Attack on data not password • Brute Force • http://www.lostpassword.com/recovery‐options‐ forensic.htm – QBW/QBA – Instant Removal 17 Remote Data Collection 18 Collection ‐ Email • Where does the mail exist – POP/IMAP/Exchange • Targeted Collection – Outlook PST, Mac Mail EML/EMLX, MBOX • As Part of Full Forensic Image of Workstation/Laptop • Extract from Exchange – ExMerge, Powershell, Third Party Tools • Collect / Process – EDB 19 Remote Email Collection (via MailStore) Supported Email Systems • Exchange Server 2003, 2007, 2010 and 2013 (including Windows Small Business Server) • Hosted Exchange • Microsoft Office 365 • MDaemon Messaging Server • IceWarp E‐Mail‐Server • Kerio Connect • Any IMAP/POP3‐compatible email server • Email clients such as Microsoft Outlook • PST and other email file formats Tamper‐proofing • Generation of SHA1 hash values from email content • Internal AES‐256 encryption of email texts and attachments • No direct access by MailStore client components to the archive files • It is not possible to change email content, either in the graphical interface or in the internal program Export Features • Exporting to an Exchange server or an IMAP mailbox • Sending emails to any email address via SMTP • Exporting to email clients (Microsoft Outlook, Windows Mail, Mozilla Thunderbird) • Exporting to the file system (generates either an .eml or .msg file for each email) • Exporting to an Outlook .pst file 20 Cloud Email Collection • Legal Hold / Mailbox Search / Import/Export • Google Apps – ediscovery.google.com • Office365 – Discovery Management (In‐Place eDiscovery) – Also available in Exchange 2013 • SpamFilter/Online Mailbag • MailStore – Direct Pull From Mailboxes • Individual Credentials V. Dedicated User Account 21 Mobile Device Collection and Limitations • • • • • • • • • • Function as a Computer but Extremely Different in Way Collected and Expertise in Investigating Always On / Constantly Changing / Constant Network Communication – Faraday Box/Bag / Air Plane Mode / Phone / Internal Memory / SD Card(s) / SIM Card(s) / Cloud Data Standard Data Copying Will Not Cut It Device May Only Sync a Limited Time Period Imaging in Parts Built‐In / Third Party – Backups (Also Look For Existing Backups) Tools to Physically/Logically Image – Cellebrite / XRY / MPE+ iPhone 4S & Newer (many iPad models as well) – Physical Imaging NOT Possible – No Access to Email Forensic Community Lags Smart Phone Releases 22 Mobile Device Passcode Bypassing • Bypassing – Bootloader (Galaxy S4, iPhone Models Prior to 4S) • Using Data From Paired Computers – iOS – Trusted Paired Computer .plist • Disabling – Delete Essential File for Locking Mechanism (Samsung Android) – Any entered password is accepted (disabling and re‐enabling lock feature returns to normal) • Extracting/Revealing – Manufacture Back Door Query for Password • Smear Pattern • Brute‐Force • JTAG / Chip‐Off 23 Mobile Device Policies & Mobile Device Management Warning • Remote Wipe – Pros V. Cons • Remote Locking • Location Services – Lost / Stolen 24 Collection – Social Media • Social Media Affects Your Life / Business / Court Case • Girl Costs Father 80K Settlement w/ Facebook Post – http://www.cnn.com/2014/03/02/us/facebook‐post‐costs‐ father/ • Chrysler Drops F‐Bomb on Twitter – http://www.huffingtonpost.com/2011/03/09/chrysler‐ twitter‐account‐_n_833571.html • X1 ‐ Facebook, Twitter, Instagram, LinkedIn & Websites & Web‐Based Email (Gmail, Yahoo, Outlook, IMAP) – One time capture / Monitor – Fully Indexed & Searchable – Validated w/ MD5 25 Collection – Cloud Data Storage • Google Drive • Dropbox • MS OneDrive • Web Interfaces / Logs / Permissions /Download Data / Sync & Collect / 26 Collection ‐ Misc • Routers / Switches / Firewalls • Medical Devices • Command Line / Device Configuration Files / Log Files / Connection Details 27 Computer Based Artifacts • Data Files – Office, Email, PDF, Graphics • Event Logs – Are you logging enough information? • • • • Short cuts / link files Jump lists Prefetch files Windows 8 – File History (Including Deleted) – If Enabled – Local Cache if Removable/Remote Device Not Available 28 Metadata • File System Metadata – Created / Accessed / Modified Dates • File Metadata – Office Documents • Author Information / Time Spent Editing / Revisions / Printed / etc – Email • To / From / CC / BCC / Submit Time / Deliver Time – Trash Can • User Account that Deleted / When Deleted / Where Originally Located 29 Metadata Cont. • • • Programs / Applications – Installed date – Number of times run – Stored information and options / preferences Removable Devices – Make, model, driver information – First & last time connected – Assigned drive letter Printer Information – Installed printers – Print job details – Printed items – Graphic Representation 30 Misleading Information • If the operating system is Windows Vista, 7, or 8, by default the Last Access Dates are not changed when the file is actually accessed. The Last Access Date will match the File Created Date. – XP – controlled by a registry and can be changed • Metadata can be altered – Editing Directly In Document, Third Party Tools, Changing Date/Time on Computer • Modification Date Before Creation Date • Do you have the full picture (computer, logs, various versions) 31 Windows Registry Artifacts • Typed URLs in browser • Recently Viewed Documents / Browsed Folders • Protected Storage Information – Form Data, Search Queries, Login Creds • Mount Points & Mapped Drives • OS Install Date, Registered Owner • UserAssist – Programs Launched & Number of Times & Last Time • Uninstalled Software • Times Zone & Day Light Savings Info • Last Proper Shutdown Time • USB Device Details • Network Setting & Connection Information 32 Internet History Evidence 33 In‐Private Browsing / Incognito Modes • • • Internet Explorer – Index.dat Still Used and Cache Still Written to Temporary Internet Files • Simply shields the data from the User Interface • Deleted upon closing browser – but disk is not wiped • RAM / Pagefile will also contain history and is not affected by this process • http://www.magnetforensics.com/how‐private‐is‐internet‐explorers‐inprivate‐browsing‐first‐define‐ private/?utm_source=hs_email&utm_medium=email&utm_content=10242384&_hsenc=p2ANqtz‐‐ GzebLmxY6kjptY_HLEXmmahd0ttITM‐ WSiFU1t_tCkPgQmtlXWl67oKLsPPaEzw3wjoTbh7oocVPT18K0aLpyTmsYiQ&_hsmi=10242384 Chrome – Data not written to SQLite DB files • Collection of RAM & Pagefile are Key to Recovering • http://www.magnetforensics.com/how‐does‐chromes‐incognito‐mode‐affect‐digital‐ forensics/?utm_source=hs_email&utm_medium=email&utm_content=10242384&_hsenc=p2ANqtz‐8EMhY‐ x6wdFhii7dV7bMZJeWXs46GGLYnPeBnuNImaZIE3Rq3rGnC2XqQAXBneFOuGfX7OklAFD4ARrNzCYcxIwpYRbA&_hsmi= 10242384 Firefox – Data not written to Disk Directly • Collection of RAM & Pagefile are Key to Recovering • http://www.magnetforensics.com/forensic‐implications‐of‐a‐person‐using‐firefoxs‐private‐ browsing/?utm_source=hs_email&utm_medium=email&utm_content=10242384&_hsenc=p2ANqtz‐‐wonntK‐ 1T_jnyU0S7mdXRpiVx1fUg2FOSTG4Xf_W_njIyI0HqJZQpqo6L10nvuSNy6iiRHoxu6vN‐ Sw5ChMhH5H1iHw&_hsmi=10242384 34 Mobile Device Based Artifacts • Call Details • SMS / MMS Messages, iMessages, BBM – Not Always on Phone Bill • Visual Voicemail • Pictures / Video – GPS Information • • • • Location Information Apps Smart Phones are Computers w/ Phone Capabilities SQLite 35 Mobile Device Artifacts 36 Mobile Device Apps • Skype – Calls over Internet – Not on Phone Bill • SnapChat – Pictures w/ Captions Sent & Deleted After Viewed – Have been recoverable in past – Popular in Financial Industry – Adding chat and call features • Cloud Data Storage Apps – Google Drive, Dropbox, etc. – Upload / Download files • Social Media Apps ‐ Can still access these networks over cell network even if company network is blocking • Wireless Network Mapping Tools 37 Android – Malware in Plain Sight 38 Cloud Storage Artifacts • Dropbox for Business – Activity Log – – – – – – – – – Sharing – sending out link to file or joining a folder Password – changing password or two‐step verification Logins / Login Failures Admin Actions – shared folder permissions App – linking of third party app to dropbox Devices – computer or mobile device linked to account Membership – someone joins or is removed from team Deleted Data Restored Data • Google Apps – Reporting – New Feature – Growing number of logged events 39 Drive / Data Destruction • Drive Wiping • Drive Destruction • Situations where information is overlooked – Donating / Selling / Recycling / Trashing • Sample data left behind on a hard drive – Contacts / Credit Card Info / Passwords / Financial Data / Personal Information / Internet History • Simple Data Deletion / CCleaner – Not Enough! • Is Wiping Actually Occuring? – Android – Recent News Articles – Security Wipe Not Preventing Data from Being Recovered 40 Memory Forensics • • • • • • • • • • New Hot Area in Forensics Contains Passwords Contains Encryption Keys Contains Running Processes Contains Network Connection Information Contains Internet Artifacts Contains Event Logs Contains Registry Entries Contains Windows Services Contains Disk Artifacts 41 The Future Digital Forensics: A Billion‐Dollar Market in the Making – http://www.inc.com/will‐yakowicz/digital‐forensics‐billion‐dollar‐ market.html • Internet of Things • Generate and leave a visible trail at every place we visit, on everything we touch, and with everything we do • Therefore, in the next few years, we will be in a position in which every activity, including any law enforcement investigation, will have a digital forensics component. If you want to track a suspect, you're not going to do it the old‐fashioned way with DNA forensics. You will be doing digital forensics to see what the suspect was doing in the cloud, where the person's mobile device was located at what time and what he or she was doing, where the person's car had been. All these new applications of digital forensics will be pieces of evidence and will make the industry much bigger, more important, and more valuable in the next few years. • Law Needs to Keep Pace w/ Technology 42 • Insurance • Cyber Liability • Data Recovery / Disaster Recovery 43 Recommended Tools Voltality – Memory Forensics FTK Imager EnCase Portable X1 – Social Media / Websites / Email MailStore ‐ Email Passware Kit EmailChemy – Convert between different email formats • IEF – Internet Evidence Finder • Cellebrite / XRY – Mobile Forensics • • • • • • • 44 Recommended Literature • Among Enemies • File System Forensic Analysis • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory • EnCase Certified Examiner Study Guide • Mastering Windows Network Forensics and Investigations 45 Discussion / Questions 46