Basic Computer Forensics for the Private Investigator

advertisement
Basic Computer Forensics for the
Private Investigator
This presentation is online at
www.steveabrams.net/presentation.htm
Presented by
Steven M. Abrams, M.S., P.I., IEEE
Computer Forensics Examiner
Steve Abrams & Company, Ltd.
1558 Ben Sawyer Blvd., Suite C
Mt. Pleasant, SC 29464
(843) 813-1996 steve@SteveAbrams.net
1
Steve Abrams, M.S., P.I.,
Curriculum Vitae
•Advanced Degrees in Computer Science
•20+ Years in Software and Hardware Design
•Trained and Certified in Computer Forensics at the
North Carolina Justice Academy and GMU2002
•Licensed Private Investigator, South Carolina
•Memberships: High Technology Crime Investigation Association,
Institute of Electrical and Electronic Engineers, SCALI, High Tech
Computer Network, Fraternal Order of Police, South Carolina
Sheriffs Association
2
Computer Forensics - The search for, and the collection of, evidence
from computer systems in a standardized and well documented manner
to maintain its admissibility and probative value in a legal proceeding.
"Forget dumpster diving. Computers harbor more personal
information and secrets than anyone can discard into a 20gallon trash container. A typical computer holds information
people once stored in wallets, cameras, contact lists,
calendars, and filing cabinets. Computers are the treasure
trove of personal contacts, personal finance, and
correspondence. Practically every investigation can benefit
from the proper analysis of the suspect's computer systems."
- Incident Response, Investigating Computer Crime, Pg.88
3
I. Know the Law...
4
KNOW THE LAW...
The US DOJ maintains a website with guidelines and case law
pertaining to seizing and searching computers. It's the best
place to start putting together a legal case that will be based on
evidence obtained from a computer system.
The US DOJ website is:
http://www.usdoj.gov/criminal/cybercrime/searching.html
They also have a wealth of "cyber-crime" information online at:
http://www.usdoj.gov/criminal/cybercrime/
5
KNOW THE LAW...
Under the law, electronic data storage devices (PCs, PDAs, etc.)
treated like an opaque container.
Even though the 4th Amendment restrictions on searches does
not usually apply to you as a private individual, not acting at
the behest of the government, always get written consent (or a
court order) before you search any computer.
6
KNOW THE LAW...
Who can give consent?
In a domestic situation, either spouse (or any adult who resides in the home)
can give consent to search a computer that is generally accessible to anyone
in the home.
“The watershed case in this area is United States v. Matlock, 415 U.S. 164 (1974). In
Matlock, the Supreme Court stated that one who has “common authority” over
premises or effects may consent to a search even if an absent co-user objects.”
However, any password protected files cannot be included in the search if
the person granting consent does not know the password. (There are certain
exceptions.) See United States v. Block, 590 F.2d 535, 541 (4th Cir. 1978)
“Courts have not squarely addressed whether a suspect’s decision to password-protect or encrypt files stored in a
jointly-used computer denies co-users the right to consent to a search of the files under Matlock. However, it
appears likely that encryption and password-protection would in most cases indicate the absence of common
authority to consent to a search among co-users who do not know the password or possess the encryption key.”
Computers belonging to minor children can be searched with parental
consent. The rules for adult children are tricky.
7
KNOW THE LAW…
Who can give consent?
In a office situation, the employee may be entitled to a
reasonable expectation of privacy that precludes the employer
from being able to grant consent to search the employee’s
computer, even if it is company property.
This makes authorized use policies and TOS banners important
to establish that the employee understands the privacy policy of
his employer and grants consent to search his computer and
electronic files (including email).
.
8
KNOW THE LAW...
Several Federal Statutes Apply to the Searching of Electronic
Information Systems, and especially to Electronic
Communications.
The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22
“Electronic communication”
Most Internet communications (including e-mail) are electronic communications.
18 U.S.C. § 2510(12) defines “electronic communication” as
any transfer of signs, signals, writing, images, sounds, data, or intelligence of any
nature, transmitted in whole or in part by a wire, radio, electromagnetic,
photoelectronic or photooptical system that affects interstate or foreign
commerce, but does not include
(A) any wire or oral communication;
(B) any communication made through a tone-only paging device;
(C) any communication from a tracking device . . . ; or
(D) electronic funds transfer information stored by a financial institution in a
communications system used for the electronic storage and transfer of funds;
9
KNOW THE LAW...
Several Federal Statutes Apply to the Searching of Electronic
Information Systems, and especially to Electronic
Communications.
The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22
Exceptions
f) The ‘Accessible to the Public’ Exception, 18 U.S.C. § 2511(2)(g)(i)
18 U.S.C. § 2511(2)(g)(i) permits “any person” to intercept an electronic
communication made through a system “that is configured so that . . .
[the] communication is readily accessible to the general public.” Although
this exception has not yet been applied by the courts in any published
cases involving computers, its language appears to permit the
interception of an electronic communication that has been posted to a
public bulletin board or a Usenet newsgroup. (AOL Chat Rooms, etc. )
10
KNOW THE LAW...
Several Federal Statutes Apply to the Searching of Electronic
Information Systems, and especially to Electronic
Communications.
Electronic Communications Privacy Act (ECPA)
ECPA regulates how the government can obtain stored account information from network
service providers such as ISPs. Whenever agents or prosecutors seek stored e-mail,
account records, or subscriber information from a network service provider, they must
comply with ECPA.
According to the US DOJ attorneys, P.I.’s in civil matters may be able to use
court orders in the same manner as the government uses subpoenas and
warrants under ECPA to get information from ISP's.
11
ECPA Quick Reference Guide
12
ECPA Quick Reference Guide
13
II. Computer Forensic Examination
14
A trained computer forensic examiner can:
Make forensic duplicate drive images and document all files on
the hard drive and the procedures used to obtain them.
•Use only DOS utilities or Linux DD to make forensic copy.
•NEVER ALLOW A MACHINE TO BOOT INTO WINDOWS!
•Windows updates timestamps on ALL files it touches!!
•Forensic copy preserves source drive above all else.
•Use MD5 File Hash to Verify Copy.
•Take Lots of Digital Pictures, Document everything!
Maintain a record of chain of custody of all computer media
15
A trained computer forensic examiner can:
Recover deleted files.
Recover data from a reformatted drive.
Recover data in file slack and unallocated
portions of drive.
16
What is File Slack?
The DOS file system file allocation table (FAT) was never
designed to handle storage device with more than 32767
units of data. 32767 is the largest number that can be
represented with 16 bits.
Data is written in sectors of 512 bytes (hard drives,
floppy), or 2048 bytes (CD-ROM).
This set an arbitrary limit on disk storage devices of
512x32767 = 16MB.
To accommodate larger drives the concept of “clusters”
was invented. Clusters are a group of sectors written as a
single atomic unit. The larger the drive capacity the more
sectors are grouped into clusters. (up to 128 sectors)
17
What is File Slack?
FAT16
Clustering up to 128 sectors of 512 bytes allowed the
original 16 bit FAT (FAT16) to handle devices up to 2GB.
FAT32
When devices grew over 2GB file allocation system had
to go to a 32bit FAT (FAT32) this will allow for drive
capacity to grow to 17 TB. (32bit max: 268,435,455 Clusters)
18
What is File Slack?
With clustering came file slack.
RAM Slack
If the file you are writing is shorter than the number of
bytes in the clusters you have allocated for your file, the
file system will pad the data out to the end of the current
sector with “RAM slack”. RAM slack is random data that
happens to be in RAM memory at the time the file is
written. It can contain any data that you were working on
since you last booted the PC. Such as emails, word
documents, graphics, etc.
19
What is File Slack?
Drive Slack
Unlike RAM slack which comes from working storage,
“drive slack” is data left on the drive from a previous file.
After completing the last partial sector with RAM slack,
subsequent whole sectors in the last cluster are left as is
with whatever data was written there previously.
This is possible because deleting a file only removes it
from the FAT, the data remains on the drive until the
sector it occupies is overwritten by a subsequent file.
20
Forensic Software
•Byte Back
•Digit
•Drive Spy
•EnCase
•Forensic Tool Kit (FTK)
•Hash Keeper
•Ilook (LEOs only)
•Maresware
•Microsoft TechNet
•Gdisk
•Password Recovery
Toolkit (PRTK)
•Ghost
•Safeback
•DriveWorks
•Thumbs Plus
•Linux DD (SMART)
•Drive Image
21
Internet Sources of
Forensic Software
www.lostpassword.com - collection of password recovery
tools for Windows and application software.
http://stud1.tuwien.ac.at/~e9227474/english.htm - Irfanview,
a GUI tool with graphics viewers for every graphics file
format, still and video. Only $10 registration fee!
www.data-sniffer.com - forensic tool kit ($140) includes
graphics viewers and file slack viewer.
www.accessdata.com - FTK, PRTK, DNA ($1795.00)
Complete Forensic Tools and Password Recovery Tools
22
A trained computer forensic examiner can:
Work with File Hashes
A file hash is a mathematical calculation made from every byte
in a file. It creates a unique digital fingerprint for that file.
Using File hashes a forensic examiner can:
Quickly locate and catalog every (graphic) file on a PC hard drive, and flag
child pornographic images using a national database of known images.
Identify known system and software files that can safely be ignored.
KFF - Known File Filter
NIST, INORP Databases of File Hashes
Hash Keeper
23
Case 1: Adultery by Computer
Forensic recovery was used to find evidence that a
husband’s “hunting” trips were actually sexual encounters
arranged by computer. Husband hunted women online.
Investigation Methods:
1) Live Forensic Investigation to find “buddies list”.
2) Forensic copy of hard drive was analyzed by
Access Data’s FTK.
Evidence: Recovered emails husband had sent (found in file slack
and Norton backup), and Yahoo Instant Messenger log files showing
date and time of thousands of messages exchanged with various
women. Recovered cached HTML from web pages he visited to find
profiles of women looking for sex, and of online travel service used to
buy tickets to fly them to Charleston.
24
DISCLAIMER:
Working with email and electronic communications
1) Offline content (on the Hard Drive) is Fair Game.
2) Never go online to get a subject’s email
Without:
a) Written Permission, or
b) a Court Order
3) Yahoo! Messenger leaves a complete log file on
the Hard Drive, shows all message traffic.
4) Internet Browsers leave detailed history on Hard
Drive show all sites visited, all graphics viewed.
25
Case 1: Adultery by Computer
ALL EVIDENCE WAS FOUND LEGALLY:
•WITHOUT GOING ONLINE TO HIS EMAIL ACCOUNT
•WITHOUT ADDING ANY “SPY SOFTWARE” TO HIS
SYSTEM
Copies of emails are often left in file slack.
Files on the hard drive are fair game, and won’t get you busted for wiretap
violations.
Many popular communications programs leave log files on
the hard disk with details of all electronic communications.
These are always admissible as evidence if legally obtained.
26
Forensic Recovery Seizure
Take pictures to
document area
around the
computer.
You may find
removable media, or
clues to your
subject’s passwords
in your photos.
27
Bypassing/cracking system and
application passwords

BIOS PW?
• Default/backdoor pws
• AMI = 589589, amisw, ami
• Award = AWARD_SW, AWARD_PW, condo, j262
• Jumper?
• Remove drive

Access Data Password Recovery Toolkit
• http://accessdata.com/
SSA/OI G Sue He rmitage
6
28
Forensic Recovery Physical Copy
Tip #2: Work from
DOS or Linux.
Add a clean slave drive to
subject’s computer, or
remove hard drive(s) and
copy on your system.
Do a physical copy
(sector by sector) to the
clean media.
29
Forensic Recovery Physical Copy
Tip #3: Don’t assume
system will boot first
from the floppy drive.
Always go into setup first
and make sure the system
will boot first from where
you expect it to.
Ex. Floppy or CD-ROM.
30
Live Forensic Investigation
Take screen shots to
preserve evidence.
• In this case documented
“buddies list” in ICQ
and Yahoo! Messenger.
• Used FTK to find
emails to / from same
buddies. And their
solicitations on Internet
adult meeting sites.
31
MS OFFICE FORENSICS
32
A trained computer forensic examiner can:
MS OFFICE FORENSICS
Every PC leaves a unique electronic fingerprint on every MS
Office document it creates. (“GUID”) The “GUID” is unique to the
PC and the logged in user.
We can examine these documents to determine on which
machine a document was created, and when and by whom it was
created.
“GUIDClean.exe allows users to detect, display and modify
the Global Unique Identifiers (GUID) that some MS Office
products (Word and Excel) place in user's documents. An
argument can be made that these GUID strings are a breach of
users' privacy and may be used to track documents and bind
them to particular users or particular machines.”
33
III.Computer Crime Investigation
34
A trained computer crime investigator can:
Trace and validate email messages stored on the hard drive.
With a court order we can get additional information from the
internet service providers to help ascertain the source and
author of the email.
Check email headers for spoofs.
35
Sam Spade Internet Sleuthing Program
36
Sam Spade Tools
Sam Spade is an Internet Sleuthing Environment that allows
access to about 20 UNIX net tools from MS-Windows.
Shareware! From www.samspade.org
(current version 1.14)
Ping
nslookup
whois
IP Block whois
dig
traceroute
finger
SMTP VRFY
web browser
website download
DNS zone transfer
Usenet cancel check
keep-alive
website search
email header analysis
email blacklist query
abuse address query
S_Lang scripting
Time
37
38
Case 2: Forged Email Evidence
In a custody hearing, the court was presented with emails
and attached pornographic images that made it appear the
wife had been soliciting sex over the Internet. Custody of
the 3 year old child was given to the husband and his
mother (paternal grandmother). The wife denied she sent
the emails and said it was not her in the photo.
Evidence: I was given the printed emails, the pornographic photo,
and screenshots taken showing the email was received by the paternal
grandmother, and it contained a virus in addition to the photo.
39
A trained computer forensic examiner can:
Recover passwords from most Windows application software,
and those used by Windows 9x, Windows NT, and Novell Netware
servers.
Decrypt encrypted data and messages.
Password Recovery Toolkit
Access Data - PRTK, Distributed Network Attack
PRTK is dictionary based.
DNA is brute force based.
40
Case 3: Hidden Financial Records
In preparation for divorce proceeding, the wife brought me
her husband’s home office computer Hard disk for forensic
examination to locate financial records and child
pornography.
Evidence: Examination of the hard drive located a series of Quicken
files and hidden Excel spreadsheets containing financial records. The
spreadsheets recorded his actual cash receipts, the Quicken files his
deposits and what he reported as income. During discovery PRTK was
used to access password protected quicken files, after the court
ordered all financial documents be turned over to the wife’s attorney.
Cash receipts exceeded reported income by over $552,000.
Pornography was found but was not child pornography.
41
IV. Incident Response
42
A trained computer forensic examiner can:
Find evidence of files left
behind by hackers.
Incident Response Teams
43
A trained computer forensic examiner can:
Locate and identify all
"mal-ware" (viruses, worms,
Trojans, and other malicious
software) on the hard drive.
44
Thank You!
45
Download