Basic Computer Forensics for the Private Investigator This presentation is online at www.steveabrams.net/presentation.htm Presented by Steven M. Abrams, M.S., P.I., IEEE Computer Forensics Examiner Steve Abrams & Company, Ltd. 1558 Ben Sawyer Blvd., Suite C Mt. Pleasant, SC 29464 (843) 813-1996 steve@SteveAbrams.net 1 Steve Abrams, M.S., P.I., Curriculum Vitae •Advanced Degrees in Computer Science •20+ Years in Software and Hardware Design •Trained and Certified in Computer Forensics at the North Carolina Justice Academy and GMU2002 •Licensed Private Investigator, South Carolina •Memberships: High Technology Crime Investigation Association, Institute of Electrical and Electronic Engineers, SCALI, High Tech Computer Network, Fraternal Order of Police, South Carolina Sheriffs Association 2 Computer Forensics - The search for, and the collection of, evidence from computer systems in a standardized and well documented manner to maintain its admissibility and probative value in a legal proceeding. "Forget dumpster diving. Computers harbor more personal information and secrets than anyone can discard into a 20gallon trash container. A typical computer holds information people once stored in wallets, cameras, contact lists, calendars, and filing cabinets. Computers are the treasure trove of personal contacts, personal finance, and correspondence. Practically every investigation can benefit from the proper analysis of the suspect's computer systems." - Incident Response, Investigating Computer Crime, Pg.88 3 I. Know the Law... 4 KNOW THE LAW... The US DOJ maintains a website with guidelines and case law pertaining to seizing and searching computers. It's the best place to start putting together a legal case that will be based on evidence obtained from a computer system. The US DOJ website is: http://www.usdoj.gov/criminal/cybercrime/searching.html They also have a wealth of "cyber-crime" information online at: http://www.usdoj.gov/criminal/cybercrime/ 5 KNOW THE LAW... Under the law, electronic data storage devices (PCs, PDAs, etc.) treated like an opaque container. Even though the 4th Amendment restrictions on searches does not usually apply to you as a private individual, not acting at the behest of the government, always get written consent (or a court order) before you search any computer. 6 KNOW THE LAW... Who can give consent? In a domestic situation, either spouse (or any adult who resides in the home) can give consent to search a computer that is generally accessible to anyone in the home. “The watershed case in this area is United States v. Matlock, 415 U.S. 164 (1974). In Matlock, the Supreme Court stated that one who has “common authority” over premises or effects may consent to a search even if an absent co-user objects.” However, any password protected files cannot be included in the search if the person granting consent does not know the password. (There are certain exceptions.) See United States v. Block, 590 F.2d 535, 541 (4th Cir. 1978) “Courts have not squarely addressed whether a suspect’s decision to password-protect or encrypt files stored in a jointly-used computer denies co-users the right to consent to a search of the files under Matlock. However, it appears likely that encryption and password-protection would in most cases indicate the absence of common authority to consent to a search among co-users who do not know the password or possess the encryption key.” Computers belonging to minor children can be searched with parental consent. The rules for adult children are tricky. 7 KNOW THE LAW… Who can give consent? In a office situation, the employee may be entitled to a reasonable expectation of privacy that precludes the employer from being able to grant consent to search the employee’s computer, even if it is company property. This makes authorized use policies and TOS banners important to establish that the employee understands the privacy policy of his employer and grants consent to search his computer and electronic files (including email). . 8 KNOW THE LAW... Several Federal Statutes Apply to the Searching of Electronic Information Systems, and especially to Electronic Communications. The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22 “Electronic communication” Most Internet communications (including e-mail) are electronic communications. 18 U.S.C. § 2510(12) defines “electronic communication” as any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature, transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device . . . ; or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds; 9 KNOW THE LAW... Several Federal Statutes Apply to the Searching of Electronic Information Systems, and especially to Electronic Communications. The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22 Exceptions f) The ‘Accessible to the Public’ Exception, 18 U.S.C. § 2511(2)(g)(i) 18 U.S.C. § 2511(2)(g)(i) permits “any person” to intercept an electronic communication made through a system “that is configured so that . . . [the] communication is readily accessible to the general public.” Although this exception has not yet been applied by the courts in any published cases involving computers, its language appears to permit the interception of an electronic communication that has been posted to a public bulletin board or a Usenet newsgroup. (AOL Chat Rooms, etc. ) 10 KNOW THE LAW... Several Federal Statutes Apply to the Searching of Electronic Information Systems, and especially to Electronic Communications. Electronic Communications Privacy Act (ECPA) ECPA regulates how the government can obtain stored account information from network service providers such as ISPs. Whenever agents or prosecutors seek stored e-mail, account records, or subscriber information from a network service provider, they must comply with ECPA. According to the US DOJ attorneys, P.I.’s in civil matters may be able to use court orders in the same manner as the government uses subpoenas and warrants under ECPA to get information from ISP's. 11 ECPA Quick Reference Guide 12 ECPA Quick Reference Guide 13 II. Computer Forensic Examination 14 A trained computer forensic examiner can: Make forensic duplicate drive images and document all files on the hard drive and the procedures used to obtain them. •Use only DOS utilities or Linux DD to make forensic copy. •NEVER ALLOW A MACHINE TO BOOT INTO WINDOWS! •Windows updates timestamps on ALL files it touches!! •Forensic copy preserves source drive above all else. •Use MD5 File Hash to Verify Copy. •Take Lots of Digital Pictures, Document everything! Maintain a record of chain of custody of all computer media 15 A trained computer forensic examiner can: Recover deleted files. Recover data from a reformatted drive. Recover data in file slack and unallocated portions of drive. 16 What is File Slack? The DOS file system file allocation table (FAT) was never designed to handle storage device with more than 32767 units of data. 32767 is the largest number that can be represented with 16 bits. Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM). This set an arbitrary limit on disk storage devices of 512x32767 = 16MB. To accommodate larger drives the concept of “clusters” was invented. Clusters are a group of sectors written as a single atomic unit. The larger the drive capacity the more sectors are grouped into clusters. (up to 128 sectors) 17 What is File Slack? FAT16 Clustering up to 128 sectors of 512 bytes allowed the original 16 bit FAT (FAT16) to handle devices up to 2GB. FAT32 When devices grew over 2GB file allocation system had to go to a 32bit FAT (FAT32) this will allow for drive capacity to grow to 17 TB. (32bit max: 268,435,455 Clusters) 18 What is File Slack? With clustering came file slack. RAM Slack If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is written. It can contain any data that you were working on since you last booted the PC. Such as emails, word documents, graphics, etc. 19 What is File Slack? Drive Slack Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack, subsequent whole sectors in the last cluster are left as is with whatever data was written there previously. This is possible because deleting a file only removes it from the FAT, the data remains on the drive until the sector it occupies is overwritten by a subsequent file. 20 Forensic Software •Byte Back •Digit •Drive Spy •EnCase •Forensic Tool Kit (FTK) •Hash Keeper •Ilook (LEOs only) •Maresware •Microsoft TechNet •Gdisk •Password Recovery Toolkit (PRTK) •Ghost •Safeback •DriveWorks •Thumbs Plus •Linux DD (SMART) •Drive Image 21 Internet Sources of Forensic Software www.lostpassword.com - collection of password recovery tools for Windows and application software. http://stud1.tuwien.ac.at/~e9227474/english.htm - Irfanview, a GUI tool with graphics viewers for every graphics file format, still and video. Only $10 registration fee! www.data-sniffer.com - forensic tool kit ($140) includes graphics viewers and file slack viewer. www.accessdata.com - FTK, PRTK, DNA ($1795.00) Complete Forensic Tools and Password Recovery Tools 22 A trained computer forensic examiner can: Work with File Hashes A file hash is a mathematical calculation made from every byte in a file. It creates a unique digital fingerprint for that file. Using File hashes a forensic examiner can: Quickly locate and catalog every (graphic) file on a PC hard drive, and flag child pornographic images using a national database of known images. Identify known system and software files that can safely be ignored. KFF - Known File Filter NIST, INORP Databases of File Hashes Hash Keeper 23 Case 1: Adultery by Computer Forensic recovery was used to find evidence that a husband’s “hunting” trips were actually sexual encounters arranged by computer. Husband hunted women online. Investigation Methods: 1) Live Forensic Investigation to find “buddies list”. 2) Forensic copy of hard drive was analyzed by Access Data’s FTK. Evidence: Recovered emails husband had sent (found in file slack and Norton backup), and Yahoo Instant Messenger log files showing date and time of thousands of messages exchanged with various women. Recovered cached HTML from web pages he visited to find profiles of women looking for sex, and of online travel service used to buy tickets to fly them to Charleston. 24 DISCLAIMER: Working with email and electronic communications 1) Offline content (on the Hard Drive) is Fair Game. 2) Never go online to get a subject’s email Without: a) Written Permission, or b) a Court Order 3) Yahoo! Messenger leaves a complete log file on the Hard Drive, shows all message traffic. 4) Internet Browsers leave detailed history on Hard Drive show all sites visited, all graphics viewed. 25 Case 1: Adultery by Computer ALL EVIDENCE WAS FOUND LEGALLY: •WITHOUT GOING ONLINE TO HIS EMAIL ACCOUNT •WITHOUT ADDING ANY “SPY SOFTWARE” TO HIS SYSTEM Copies of emails are often left in file slack. Files on the hard drive are fair game, and won’t get you busted for wiretap violations. Many popular communications programs leave log files on the hard disk with details of all electronic communications. These are always admissible as evidence if legally obtained. 26 Forensic Recovery Seizure Take pictures to document area around the computer. You may find removable media, or clues to your subject’s passwords in your photos. 27 Bypassing/cracking system and application passwords BIOS PW? • Default/backdoor pws • AMI = 589589, amisw, ami • Award = AWARD_SW, AWARD_PW, condo, j262 • Jumper? • Remove drive Access Data Password Recovery Toolkit • http://accessdata.com/ SSA/OI G Sue He rmitage 6 28 Forensic Recovery Physical Copy Tip #2: Work from DOS or Linux. Add a clean slave drive to subject’s computer, or remove hard drive(s) and copy on your system. Do a physical copy (sector by sector) to the clean media. 29 Forensic Recovery Physical Copy Tip #3: Don’t assume system will boot first from the floppy drive. Always go into setup first and make sure the system will boot first from where you expect it to. Ex. Floppy or CD-ROM. 30 Live Forensic Investigation Take screen shots to preserve evidence. • In this case documented “buddies list” in ICQ and Yahoo! Messenger. • Used FTK to find emails to / from same buddies. And their solicitations on Internet adult meeting sites. 31 MS OFFICE FORENSICS 32 A trained computer forensic examiner can: MS OFFICE FORENSICS Every PC leaves a unique electronic fingerprint on every MS Office document it creates. (“GUID”) The “GUID” is unique to the PC and the logged in user. We can examine these documents to determine on which machine a document was created, and when and by whom it was created. “GUIDClean.exe allows users to detect, display and modify the Global Unique Identifiers (GUID) that some MS Office products (Word and Excel) place in user's documents. An argument can be made that these GUID strings are a breach of users' privacy and may be used to track documents and bind them to particular users or particular machines.” 33 III.Computer Crime Investigation 34 A trained computer crime investigator can: Trace and validate email messages stored on the hard drive. With a court order we can get additional information from the internet service providers to help ascertain the source and author of the email. Check email headers for spoofs. 35 Sam Spade Internet Sleuthing Program 36 Sam Spade Tools Sam Spade is an Internet Sleuthing Environment that allows access to about 20 UNIX net tools from MS-Windows. Shareware! From www.samspade.org (current version 1.14) Ping nslookup whois IP Block whois dig traceroute finger SMTP VRFY web browser website download DNS zone transfer Usenet cancel check keep-alive website search email header analysis email blacklist query abuse address query S_Lang scripting Time 37 38 Case 2: Forged Email Evidence In a custody hearing, the court was presented with emails and attached pornographic images that made it appear the wife had been soliciting sex over the Internet. Custody of the 3 year old child was given to the husband and his mother (paternal grandmother). The wife denied she sent the emails and said it was not her in the photo. Evidence: I was given the printed emails, the pornographic photo, and screenshots taken showing the email was received by the paternal grandmother, and it contained a virus in addition to the photo. 39 A trained computer forensic examiner can: Recover passwords from most Windows application software, and those used by Windows 9x, Windows NT, and Novell Netware servers. Decrypt encrypted data and messages. Password Recovery Toolkit Access Data - PRTK, Distributed Network Attack PRTK is dictionary based. DNA is brute force based. 40 Case 3: Hidden Financial Records In preparation for divorce proceeding, the wife brought me her husband’s home office computer Hard disk for forensic examination to locate financial records and child pornography. Evidence: Examination of the hard drive located a series of Quicken files and hidden Excel spreadsheets containing financial records. The spreadsheets recorded his actual cash receipts, the Quicken files his deposits and what he reported as income. During discovery PRTK was used to access password protected quicken files, after the court ordered all financial documents be turned over to the wife’s attorney. Cash receipts exceeded reported income by over $552,000. Pornography was found but was not child pornography. 41 IV. Incident Response 42 A trained computer forensic examiner can: Find evidence of files left behind by hackers. Incident Response Teams 43 A trained computer forensic examiner can: Locate and identify all "mal-ware" (viruses, worms, Trojans, and other malicious software) on the hard drive. 44 Thank You! 45