Presentation10 - University of Worcester

advertisement
Digital Forensics
and
Demonstration of Basic Forensic Techniques
Thanks to…
Jim Gordon MSc MBCS
Worcester University 12th Nov 2012
Digital Infrastructure
Format of the Presentation
One hour presentation
Examples
Followed by two hours ‘Hands On’
Review/Wash up
Basic Principles
Association of Chief Police Officers (ACPO) Guidelines
on Computer Evidence.
Establish the basic principles of acquiring evidence
from computer systems.
These principles accepted by the courts in the United
Kingdom.
ACPO Principle 1
No action taken by the Police or
their agents should change the data
held on a computer or other media.
Where possible computer
data must be ‘copied’
and the copy examined.
ACPO Principle 2
• In exceptional circumstances it maybe
necessary to access the original data held on a
target computer.
• However it is imperative
that the person doing so
is competent and can
account for their actions.
ACPO Principles 3
An audit trail must exist to
show all the processes
undertaken when examining
computer data
Many forensic tools record logs
of processes performed and
results obtained
ACPO Principle 4
The onus rests with the person
in charge of the case to show
that a computer has been
correctly examined in
accordance with the law and
accepted practice
Forensic Imaging Process
Make a bit wise image of the contents of digital
media
Store the original media and carry out forensic
analysis using the copy image
If necessary to switch on suspect machine;
Restore image to another drive and install it in
suspects machine
Or mount and start in a Virtual Machine
Retrieve evidence in a readable form
Image Hard Disk
Check BIOS Settings
Disconnect hard
drive(s) and
switch on
Check BIOS date
and time
Check machine
specific settings
Image all other Storage Media
Mobile Phone and PDA
Forensics
Handset, Memory Card and SIM
Card Examinations
Handset Examination
Logical Dump
File System Dump
Physical Dump
JTAG Dump
Chip OFF
In certain cases, SIM Cloning a
requirement
Global Positioning
Systems
Previous Destinations
Sometimes a Route or Way Points
Favourite Destinations
Link to mobile phone - Bluetooth
Contacts
Addresses
Phone numbers
Owner Details - Home Address
Unallocated - Previous Owners
Forensic Examination Process
Decide on best forensic tool(s) for the job
Expand ALL compound files
Hash ALL File Streams
Perform File Signature Analysis
Perform Entropy Test
Generate Index and/or Thumbnails of Graphics
Carve Data
Carve Meta Data
Forensic Tools
FTK
EnCase
X-Ways
Cellebrite
XRY
Oxgyen
Accepted by the court and
validated in case law
Non-invasive computer forensic
investigative tools
Cater for large volumes of data.
Read FAT, NTFS, HFS, UNIX and
LINUX - Proprietary Phone Systems
Integrated environment allows
users to perform all functions of a
forensic analysis
Expand All Compound Files
Archive Files
ZIP
RAR
Complex Files
OLE (Object Linking and
Embedding)
Mail Boxes
Outlook.pst
Inbox.dbx
Operating System Files
Thumbs Caches
Internet History
Hash All File Streams
“This is a small text file.”
MD5 (Message Digest 5)
Generates a unique 128 Bit value for each file
or data stream: Example MD5
HashesMD5 = a08a8cf89436f18ea8084817357a59c1
MD5 = 271979ddf56c38805b7562046984fe40
An MD5 Hash can be used to:
Identify Files to be ignored (OS Files).
Identify Files of importance (Contraband Files).
“This is a small text file”
File Signature Analysis
Check file header to determine if file has the
correct extension
Header
Extension
Type
Result
4d 5a 90 ...
.exe .dll
.com
Executable
Match
ff d8 ff e0 ...
.vxd
JPEG
Mismatch
****
.txt
TEXT
Unknown
Highlight files with mismatch for manual checking
Entropy Test
Can identify files that may be encrypted or
compressed
An automated frequency analysis algorithm is
used to determine if file content is encrypted
Files identified are then exported from the
image and transferred to specialist decryption
software
Generate Index
Generate an index of all strings of
characters in the disk image
Speed up subsequent searches of
suspect image
Index can be used as a dictionary for
password cracking
GREP (General Regular Expressions)
GREP can be utilised for ‘fuzzy’ searching or
pattern matching
\<[456]\d\d\d([\- ]?\d\d\d\d){3}\>
Above expression will find
credit card numbers
Optical Character Recognition
Making Text in Pictures Searchable
Generate Thumbnails
Pre-generation of thumbnail images assists in graphics
based cases when large numbers of suspect images exist
Data Carve
Search through all allocated and unallocated data
streams for known headers and recreate pointers to files
Meta Carve
Search unallocated clusters for folder/subdirectory entries and rebuild if found
What happens when a file is deleted?
The Windows operating system tracks files
(user data) using either a File Allocation Table
or a Master File Table.
In simple terms, the FAT or MFT tells the
computer where the file begins and ends.
Macintosh uses a similar system known as
Nodes.
What happens when a file is deleted?
When a file is deleted, the operating system
deletes the pointers to the file and in the FAT
or MFT the space occupied by the file is mark
as available.
The computer does not delete the actual data
that was contained in the file.
Recycle Bin Forensics
Hidden System Folder
Win 95/98 called Recycled
Win2K, NT/XP/2003 called Recycler
Hidden system file named INFO2
INFO2 contains Original Filename, Deleted Date &
Time
Vista/Win7 $Recycle.bin
Original Filename, Deleted Date & Time contained
in separate files for each deleted record
Examination of the Recycle Bin
Most forensic tools will parse the data from
the INFO2 file
FDISK
What happens when someone FDisks drive to
remove a Partition?
The 16 bytes for the partition entry within the
MBR are zeroed
The actual partition including its data are
untouched
FDISK
Partition recovery is simple
Locate VBR
Forensic Software will recover the Partition
including directory structure
ReFormat
What happens when you reformat a drive to
delete data?
Digital Forensics
and
Demonstration of Basic Forensic Techniques
Jim Gordon MSc MBCS
Worcester University 12th Nov 2012
Digital Infrastructure
Assignment 1 guidance
• Most of the concepts already covered
• You will also need to show evidence that you’ve used a
forensic disk analysis tool
• Winhex has a “free” version
• Locate & Download now… and save the zip file to your
newly acquired USB stick
– you’ll use this in LG022 after the break…
Download