Computer Forensics
Tim Louwers, Ph.D., CPA, CIA,
CISA
2
Computer Crime
Types of Computer Crimes
– Hacking/cracking, network intrusion
– Computer virii
– Harassment and cyberstalking
– Industrial espionage, insider crimes
– Employee misconduct
– Child porn
– Pirated software
3
Examples
Hackers reroute phone lines to guarantee
winning radio giveaway.
– Two Porsches and $30,000
Network Program Designer unleashes $10
million computer “bomb.”
– Bomb permanently deleted all of the company’s
sophisticated software programs.
Three Drexel frat brothers “fix” horse race
– Prosecutors called it a real-life version of "The
Sting" -- an insider exploiting a hole in
4
Computer Forensics Defined
“The employment of a set of predefined
procedures to thoroughly examine a computer system using software and tools to extract and preserve evidence of criminal activity.” --The SANS (SysAdmin, Audit, Network, Security) Institute
“The application of computer investigation and analysis techniques in the interests of
determining potential legal evidence." -- Judd Robbins (Computer Forensics Investigator)
“The science of acquiring, preserving,
retrieving, and presenting data that has been
5
Computer Forensics
Computer is used as a storage media
-- evidence can be retrieved even
when the data is deleted.
Useful aid in law enforcement.
– Tracking terrorists
– Impeaching Presidents
– Tracing computer virus creators
6
Evidence that can be found
with Computer Forensic
Techniques
All existing data in the computer's directory structure.
Any deleted files which have not yet been overwritten by the operating system.
Deleted emails.
Pages recently printed on the suspect's printer. Renamed files.
Application software.
Specific words, numbers, etc. Recently accessed web sites. Passwords to commonly used programs/websites.
7
I.
Search and Seizure
:
4th Amendment: "Reasonable
Expectation of Privacy"
A search is constitutional if it does not
violate a person's "reasonable" or
"legitimate" expectation of privacy.
“Closed container” rule
– The Fourth Amendment generally prohibits law enforcement from accessing and viewing
information stored in a computer without a
8
I. Search and Seizure:
Intelligence Gathering
Is there a computer
in use?
What kind of
computer and
operating system?
What evidence do
you want?
9
• Control the scene
• Time the raid so that you have control.
• Control individuals
• Separate suspects from the equipment.
• Control others present even if they are not suspects.
• Identify potential evidence
• Know what you are looking for.
• Eliminate threats
• Assess the possibility that the system can be controlled from a remote system...
• Eliminate this threat immediately!!!
I. Search and Seizure:
The
10
II. Processing the
II. Processing the
Scene
Scene
11
II. Processing the Scene
(Continued)
Document! Document!! Document!!!
– The individual who occupies the office
– The name of the employees that may have
access to the office
– The location of the computer system in the
room
– The state of the system (whether it is powered
on, and what is visible on the screen)
– The people present at the time of the raid
– The serial number, models, and makes of the
hard drives and components of the system
12
II. Processing the Scene
(Continued)
On-screen activity -- Power down or not? Is the activity destructive?
– Yes -- Stops/Freezes further data loss if self-destructing software in use
Is there anything of evidentiary value?
– No -- You will lose anything that’s in memory – Verify system info (date and time)
13
II. Processing the Scene
(Continued)
Wear surgical gloves
Photograph
– Books
– Papers
– Notes
– Hardware
Note position of all manuals
Seize all manuals
14
II. Processing the Scene
(Continued)
Tag and label all physical
components and record
identifying information.
Clearly label components with a
"
DON'T TOUCH OR OPERATE
"
warning!
Only disassemble enough to
facilitate transport.
15
II. Processing the Scene
(Continued)
Identify Network connections (LAN,
WAN, DSL, Cable) and disable.
Tag both ends of all wires, even if
one end of the wire is not connected
to anything!
Be aware of wireless networks.
Disconnect phone and modem lines.
– Mark each line so you know where it came from.
– Do NOT unplug power for memory
16
III. Preserving the
Evidence
Typical kinds of evidence in computer
forensics
– Computer log files
• Successful and failed logins, website hits, access logs, error logs, etc.
– Other access records
• Phone records, physical access logs
– E-mail communications
– Electronic storage media
• Hard drive, floppy disks, CDs, tapes, other media
17
III. Preserving the
Evidence
Evidence Life Cycle:
– Collection and Identification – Analysis
– Storage, Preservation, Transportation – Presentation
– Return (if applicable)
Thou shall not alter the evidence in any way. Ensure that:
– No evidence is damaged, destroyed, or otherwise compromised.
– Evidence is properly handled and protected – Information which must remain private does so:
18
DON’T BOOT FROM THE HARD DRIVE
– Boot from other media:
• Boot from floppy or CD
– Use new boot disks for each seizure
– Access hard drive as slave in another
machine
– Use write-protecting software or device
The only reason you will use the suspect hard
drive:
– To create an image of it.
III. Preserving the
Evidence:
19
III. Preserving the
Evidence
(Continued)
Make a mirror image backup of the hard
drive
– Digital evidence can be duplicated with no degradation from copy to copy.
– Authenticate the file system
20
III. Preserving the
Evidence:
Examples of Imaging Tools
HARDWARE
Tape Drives
Removable Media (Zip, Jaz, etc.)
Clone or Slave Drives Network Servers
Optical Drives (CD-ROM, Magneto-Optical, DVD, Etc.)
Disk Duplicators
SOFTWARE
Byte Back Linux "dd" Norton Ghost SafeBack EnCase SnapBack DatArrest Anadisk/Teledisk Image -21
III. Preserving the
Evidence:
Examples of Imaging Tools
(continued)
EnCase
(Guidance Software, Pasadena, CA)– Imaging program -- makes an exact
image of the original hard drive.
– Provides authentication of the file
system
– “THE” standard commercial computer
forensic toolkit.
22
III. Preserving the
Evidence:
Chain of Custody
Chain of Custody
– Who obtained it?– When / where was it obtained?
– Who secured it and how?
– Who controlled it after being secured?
– Who accessed or handled it?
– Fewer custodians is better – less to testify
23
IV. Evidence Examination
Use a systematic approach
– Create an examination log
– Keep detailed notes
– Audio tape your examination
Admissibility:
– Must be relevant, reliable,
permissible
24
IV. Evidence Examination:
Finding the needle …
Discovering all files
– including normal files,
deleted yet remaining files, hidden files,
password-protected files, and encrypted files.
Recovering all (or as much as possible) of
deleted files.
Revealing the content of hidden files as well
as temporary files
– ones used in both the
application programs and the operating system.
25
IV. Evidence Examination:
Finding the needle (continued)
Analyze all possibly relevant data – items found in special and typically inaccessible areas of the disk
– Unallocated space on a disk – currently used,
but possibly the repository of previous data that is relevant evidence
– Slack space in a file – the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again maybe a possible site for previously created and relevant evidence
Print out an overall analysis of the subject computer
26
IV. Evidence Examination:
Finding the needle: Deleted files
Often, evidence that the suspect no longer
believes is recoverable can be found on
the suspect’s computer.
File “Delete” does not necessarily remove
the file itself
27
IV. Evidence Examination:
Deleted File Recovery Tools
Software
– Norton
Un-erase
– EnCase
Hardware
28
29
Summary
Computer crime is more than hacking
Just because it’s deleted doesn’t
mean it’s gone
Don’t touch that computer! DO NOT
ACCESS FILES!
– Make copies -- examine copied files
Document EVERYTHING!
30
Acknowledgements
We would like to thank the
following for their assistance in the
preparation of this presentation:
– LSU students and alumni
• Patrick Blake, Erin Hopper, Jackson Kon,
Eric Smith, Xiaotao Wang
31
Computer Forensics
Resources
Federal Guidelines for Search and Seizing Computers
http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm
FBI Handbook of Forensic Services
http://www.fbi.gov/hq/lab/handbook/intro.htm
Updates and Supplementary DOJ Information
http://www.usdoj.gov/criminal/cybercrime/searching.html
Computer Crimes Criminal Justice Links
http://www.co.pinellas.fl.us/bcc/juscoord/ecomputer.htm
Computer and Internet Security Links
http://www.virtuallibrarian.com/legal/
Forensics Science and Law Enforcement Links
http://www.ssc.msu.edu/~forensic/links.html
The National White Collar Crime Center PC Forensics
http://www.pcforensics.com
Computer Forensics, Inc.
www.forensics.com
SC Magazine