Computer Forensics handouts

(1)

Computer Forensics

Tim Louwers, Ph.D., CPA, CIA,

CISA

(2)

2

Computer Crime

Types of Computer Crimes

– Hacking/cracking, network intrusion

– Computer virii

– Harassment and cyberstalking

– Industrial espionage, insider crimes

– Employee misconduct

– Child porn

– Pirated software

(3)

3

Examples

Hackers reroute phone lines to guarantee

winning radio giveaway.

– Two Porsches and $30,000

Network Program Designer unleashes $10

million computer “bomb.”

– Bomb permanently deleted all of the company’s

sophisticated software programs.

Three Drexel frat brothers “fix” horse race

– Prosecutors called it a real-life version of "The

Sting" -- an insider exploiting a hole in

(4)

4

Computer Forensics Defined

“The employment of a set of predefined

procedures to thoroughly examine a computer system using software and tools to extract and preserve evidence of criminal activity.” --The SANS (SysAdmin, Audit, Network, Security) Institute

“The application of computer investigation and analysis techniques in the interests of

determining potential legal evidence." -- Judd Robbins (Computer Forensics Investigator)

“The science of acquiring, preserving,

retrieving, and presenting data that has been

(5)

5

Computer Forensics

Computer is used as a storage media

-- evidence can be retrieved even

when the data is deleted.

Useful aid in law enforcement.

– Tracking terrorists

– Impeaching Presidents

– Tracing computer virus creators

(6)

6

Evidence that can be found

with Computer Forensic

Techniques

All existing data in the computer's directory structure.

Any deleted files which have not yet been overwritten by the operating system.

Deleted emails.

Pages recently printed on the suspect's printer. Renamed files.

Application software.

Specific words, numbers, etc. Recently accessed web sites. Passwords to commonly used programs/websites.

(7)

7

I.

Search and Seizure

:

4th Amendment: "Reasonable

Expectation of Privacy"

A search is constitutional if it does not

violate a person's "reasonable" or

"legitimate" expectation of privacy.

“Closed container” rule

– The Fourth Amendment generally prohibits law enforcement from accessing and viewing

information stored in a computer without a

(8)

8

I. Search and Seizure:

Intelligence Gathering

Is there a computer

in use?

What kind of

computer and

operating system?

What evidence do

you want?

(9)

9

• Control the scene

• Time the raid so that you have control.

• Control individuals

• Separate suspects from the equipment.

• Control others present even if they are not suspects.

• Identify potential evidence

• Know what you are looking for.

• Eliminate threats

• Assess the possibility that the system can be controlled from a remote system...

• Eliminate this threat immediately!!!

I. Search and Seizure:

The

(10)

10

II. Processing the

Scene

(11)

11

II. Processing the Scene

(Continued)

Document! Document!! Document!!!

– The individual who occupies the office

– The name of the employees that may have

access to the office

– The location of the computer system in the

room

– The state of the system (whether it is powered

on, and what is visible on the screen)

– The people present at the time of the raid

– The serial number, models, and makes of the

hard drives and components of the system

(12)

12

II. Processing the Scene

(Continued)

On-screen activity -- Power down or not? Is the activity destructive?

– Yes -- Stops/Freezes further data loss if self-destructing software in use

Is there anything of evidentiary value?

– No -- You will lose anything that’s in memory – Verify system info (date and time)

(13)

13

II. Processing the Scene

(Continued)

Wear surgical gloves

Photograph

– Books

– Papers

– Notes

– Hardware

Note position of all manuals

Seize all manuals

(14)

14

(Continued)

Tag and label all physical

components and record

identifying information.

Clearly label components with a

"

DON'T TOUCH OR OPERATE

"

warning!

Only disassemble enough to

facilitate transport.

(15)

15

(Continued)

Identify Network connections (LAN,

WAN, DSL, Cable) and disable.

Tag both ends of all wires, even if

one end of the wire is not connected

to anything!

Be aware of wireless networks.

Disconnect phone and modem lines.

– Mark each line so you know where it came from.

– Do NOT unplug power for memory

(16)

16

III. Preserving the

Evidence

Typical kinds of evidence in computer

forensics

– Computer log files

• Successful and failed logins, website hits, access logs, error logs, etc.

– Other access records

• Phone records, physical access logs

– E-mail communications

– Electronic storage media

• Hard drive, floppy disks, CDs, tapes, other media

(17)

17

III. Preserving the

Evidence

Evidence Life Cycle:

– Collection and Identification – Analysis

– Storage, Preservation, Transportation – Presentation

– Return (if applicable)

Thou shall not alter the evidence in any way. Ensure that:

– No evidence is damaged, destroyed, or otherwise compromised.

– Evidence is properly handled and protected – Information which must remain private does so:

(18)

18

DON’T BOOT FROM THE HARD DRIVE

– Boot from other media:

• Boot from floppy or CD

– Use new boot disks for each seizure

– Access hard drive as slave in another

machine

– Use write-protecting software or device

The only reason you will use the suspect hard

drive:

– To create an image of it.

III. Preserving the

Evidence:

(19)

19

III. Preserving the

Evidence

(Continued)

Make a mirror image backup of the hard

drive

– Digital evidence can be duplicated with no degradation from copy to copy.

– Authenticate the file system

(20)

20

III. Preserving the

Evidence:

Examples of Imaging Tools

HARDWARE

Tape Drives

Removable Media (Zip, Jaz, etc.)

Clone or Slave Drives Network Servers

Optical Drives (CD-ROM, Magneto-Optical, DVD, Etc.)

Disk Duplicators

SOFTWARE

Byte Back Linux "dd" Norton Ghost SafeBack EnCase SnapBack DatArrest Anadisk/Teledisk Image -

(21)

21

III. Preserving the

Evidence:

Examples of Imaging Tools

(continued)

EnCase

(Guidance Software, Pasadena, CA)

– Imaging program -- makes an exact

image of the original hard drive.

– Provides authentication of the file

system

– “THE” standard commercial computer

forensic toolkit.

(22)

22

III. Preserving the

Evidence:

Chain of Custody

– Who obtained it?

– When / where was it obtained?

– Who secured it and how?

– Who controlled it after being secured?

– Who accessed or handled it?

– Fewer custodians is better – less to testify

(23)

23

IV. Evidence Examination

Use a systematic approach

– Create an examination log

– Keep detailed notes

– Audio tape your examination

Admissibility:

– Must be relevant, reliable,

permissible

(24)

24

IV. Evidence Examination:

Finding the needle …

Discovering all files

– including normal files,

deleted yet remaining files, hidden files,

password-protected files, and encrypted files.

Recovering all (or as much as possible) of

deleted files.

Revealing the content of hidden files as well

as temporary files

– ones used in both the

application programs and the operating system.

(25)

25

Finding the needle (continued)

Analyze all possibly relevant data – items found in special and typically inaccessible areas of the disk

– Unallocated space on a disk – currently used,

but possibly the repository of previous data that is relevant evidence

– Slack space in a file – the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again maybe a possible site for previously created and relevant evidence

Print out an overall analysis of the subject computer

(26)

26

IV. Evidence Examination:

Finding the needle: Deleted files

Often, evidence that the suspect no longer

believes is recoverable can be found on

the suspect’s computer.

File “Delete” does not necessarily remove

the file itself

(27)

27

Deleted File Recovery Tools

Software

– Norton

Un-erase

– EnCase

Hardware

(28)

28

(29)

29

Summary

Computer crime is more than hacking

Just because it’s deleted doesn’t

mean it’s gone

Don’t touch that computer! DO NOT

ACCESS FILES!

– Make copies -- examine copied files

Document EVERYTHING!

(30)

30

Acknowledgements

We would like to thank the

following for their assistance in the

preparation of this presentation:

– LSU students and alumni

• Patrick Blake, Erin Hopper, Jackson Kon,

Eric Smith, Xiaotao Wang

(31)

31

Computer Forensics

Resources

Federal Guidelines for Search and Seizing Computers

http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm

FBI Handbook of Forensic Services

http://www.fbi.gov/hq/lab/handbook/intro.htm

Updates and Supplementary DOJ Information

http://www.usdoj.gov/criminal/cybercrime/searching.html

Computer Crimes Criminal Justice Links

http://www.co.pinellas.fl.us/bcc/juscoord/ecomputer.htm

Computer and Internet Security Links

http://www.virtuallibrarian.com/legal/

Forensics Science and Law Enforcement Links

http://www.ssc.msu.edu/~forensic/links.html

The National White Collar Crime Center PC Forensics

http://www.pcforensics.com

Computer Forensics, Inc.

www.forensics.com

SC Magazine