Add to collection(s) Add to saved
  1. Business
  2. Finance

Digital_forensics

advertisement 
OWASP AppSec
The OWASP Foundation
http://www.owasp.org
Washington DC 2009
Digital Forensics
Worry about data loss
Motashim Al Razi
OWASP member
alrazimotashim@gmail.com
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
What is Digital Forensics?
• Branch of forensic science – uses scientific method
• The preservation, recovery, analysis and reporting of digital
artifacts including information stored on:
-
Computer/laptop systems (hard drives)
-
Storage media (USBs, CDs, DVDs, cameras, etc.)
-
Mobile phones
-
Electronic documents
• Typically used reactively, move toward proactive
- Reactive: court cases, incident response
- Proactive: mobile app security audits, continuous forensic monitoring
2
Storage Devices
There are 3 main types of storage devices used today:
1. Hard-disk drive (HDD) – Contains a spinning magnetic drive
used to store non-volatile data.
2. Solid-state drive (SSD) – Contains internal microchips for
the purpose of storing non-volatile data.
3. NAND Flash memory

Typically found in smart phones, USB thumb drivers and other portable devices

Not removable like typical HDD or SSD

Very unique characteristics from standard HDD (limited writes/erase)

In constant state of change (FTL)
3
Acquisition strategies
Forensics Analysts can acquire/receive data 3 different ways
• Backup Files
-
Backup files are provided from the “custodian”. This could include backup software
from corporations, PST file, iTunes backup, etc.
• Logical Acquisition
- A copy of the file system is created (i.e. tar.gz of / or recursive copy that preserves
date/time)
• Physical Acquisition
- Creates an exact digital replica of the storage medium
- Can recover deleted data
- This process requires specialized analysis tools and techniques
- Drive management firmware may still affect acquisition (FTL, bad blocks, etc.)
4
Image Verification
• Hash value – A calculated hex signature based on a set of
data.
- A hash value can be used to verify forensic image integrity. One slight change in
source will cause “avalanche” effect in hash value
- In order to prove that two data sets are identical, their hash values must match.
- In some instances, hash values are not stable (NAND Flash) so a hash of the data as
it’s extracted is taken but won’t necessarily match if source is imaged again.
• Common hash techniques
- mad5 (128-bit value)
- Sha256 (256-bit value)
• md5 of “Andrew Hoog” =
9bdbad9aecd74fce6e6bb48ee18100b8
5
6
7
How to acquire a forensic image
• If possible, connect drive to a physical write blocker
- This prevents any writes to the drive
- There are software techniques but not as effective
- Generally, impossible with NAND Flash devices
• Forensically acquire device with software
- Open source: dd, dcfldd and dc3dd
- Free: FTK imager and many others
- Commercial: FTK, EnCase, etc.
• Perform verification of source and image with hash signature
and record in Chain of Custody.
8
Digital evidence
• What Constitutes Digital Evidence?
– Any information being subject to human intervention or not, that can be extracted
from a computer.
– Must be in human-readable format or capable of being interpreted by a person with
expertise in the subject.
• Computer Forensics Examples
– Recovering thousands of deleted emails
– Performing investigation post employment
termination
– Recovering evidence post formatting hard
drive
– Performing investigation after multiple
users had taken over the system
9
Reasons For Evidence
• Wide range of computer crimes and misuses
– Non-Business Environment: evidence collected by Federal, State and local
authorities for crimes relating to:
•
•
•
•
•
•
•
•
•
•
•
•
Theft of trade secrets
Fraud
Extortion
Industrial espionage
Position of pornography
SPAM investigations
Virus/Trojan distribution
Homicide investigations
Intellectual property breaches
Unauthorized use of personal information
Forgery
Perjury
10
Reasons For Evidence (cont)
• Computer related crime and violations include a range of activities
including:
– Business Environment:
• Theft of or destruction of intellectual property
• Unauthorized activity
• Tracking internet browsing habits
•
•
•
•
•
•
Reconstructing Events
Inferring intentions
Selling company bandwidth
Wrongful dismissal claims
Sexual harassment
Software Piracy
11
Who Uses Computer Forensics?
• Criminal Prosecutors
– Rely on evidence obtained from a computer to prosecute suspects and use as
evidence
• Civil Litigations
– Personal and business data discovered on a computer can be used in fraud, divorce,
harassment, or discrimination cases
• Insurance Companies and Banking sector
– Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
– When an entity is compromised and CHD has been stolen then the entity must be
investigated by an authorized forensic company. (Commonly referred to as a QIRA or
QFI)
• Private Corporations
– Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and embezzlement cases
• Law Enforcement Officials
– Rely on computer forensics to backup search warrants and post-seizure handling
• Individual/Private Citizens
– Obtain the services of professional computer forensic specialists to support claims of
harassment, abuse, or wrongful termination from employment
12
How do computer forensics relate to
Law enforcement?
Controller
Detection centre
Cyber police
Computer
forensics lab
Magistrate court
for civil offence
and high court for
criminal offence.
13
Case Study
Banking Industry Executive Level Financial Fraud
Case Study – Digital Forensics
Case Type – Internal Corporate Fraud
Environment – Complex Multi-Location Network and
Desktop computer forensics
Industry – Banking
14
Scenario:
•
A large accounting firm was hired to audit certain activities
•
related to loans to individuals on the Board of Directors of a
•
medium size, publicly traded bank (the “Bank”). During the Audit, the auditors needed to
examine
•
several computer systems used by certain Bank employees as well as by certain Board
Members.
•
digital forensic examiners were immediately dispatched and sent in to arrange for the forensic
•
analysis of the computer systems and to search for corroborating evidence in support of the
audit
•
team’s suspicions and findings. The systems analysts forensically analyzed included laptop
•
computers issued to managers in the loan origination department, desktop systems used by
•
managers and board members. Email (Exchange) servers as well as Voicemail Systems were
examined
15
Existing law for digital forensics in
Bangladesh
There is a specific version in ICT act-2006.
• 8th chapter, part-2
• No. 68: Cyber tribunal Implementation, criminal
investigation, trial, Appeal etc.
• Part-3, No. 82: Cyber Appeal tribunal.
16
International Guideline
• National Institute of Science and Technology – NIST
• Association of Chief Police Officers – ACPO (UK)
• It is a major part of IS auditing.
17
Summary &
Conclusion
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Qualifying Digital Forensic Practitioners as Expert
Qualifying Digital Forensic Practitioners as Expert
Computer and Digital Forensics Industry Overview
Computer and Digital Forensics Industry Overview
Course Syllabus Forensics Mr. LaChausse Room 123 Office Hours
Course Syllabus Forensics Mr. LaChausse Room 123 Office Hours
Welcome Letter
Welcome Letter
Wildlife Forensics
Wildlife Forensics
Forensic Science Parent Letter
Forensic Science Parent Letter
Download
advertisement