Introduction to
Computer Forensics
Brent Williams
MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC
Slides at: www.speakwisdom.com
Caveat
• I am not dispensing legal advice
• Use what you hear, read, and do at
your own risk
• Consult with your legal advisor when
The Need for
The Need for
Computer Forensics
• Anyone can access anything via the
internet
• Students, faculty, staff and parents
doing bad stuff!
• Technology is more sophisticated – Faster
– More portable
Concerns
• Pornography
– Child Pornography
• Emails
– Threatening
– Relationship related
• Instant Messages
• Web sites (MySpace)
– Bullying
Bringing Things to School
PDA’s and Cell Phones
• Palm
– Fading?
– Lots of aps and storage (flash)
– Infrared and BlueTooth beaming • Windows Mobile
– Lots of storage (flash)
– Familiar interface
– Easily networked (WiFi, Bluetooth)
– View photos and movies
More Threats
• Downloads
– To School PCs • CDs/DVDs
• Social Networking Sites – FaceBook
– MySpace • Phishing
Objectives
•
Gain Basic Knowledge
– What is Computer Forensics? – Concepts
– Procedures
– What Not to Do? – What to do Next?
Do You Have a Duty
To Report?
• Yes, if you suspect a crime has been
committed
• Yes, if you suspect “sexual
exploitation” including conduct involving child pornography.
• Once you bring in police, you stop
Kinds of Forensics
• PC/Laptop
– Files, email, internet activity
• Device
– Cell phone
– PDA
– MP3 Player (iPod!)
• Network
– Internet traffic
Places
• High Technology Crime Investigation
Association
– www.htcia.org • Atlanta HTCIA
– www.atlhtcia.org
• Southeast Cybercrime Summit
Places
• Access Data (FTK)
– www.accessdata.com
• X-Ways Forensics (winhex) – www.x-ways.com
• ProDiscover
– www.techpathways.com • Helix
Certification
• Certified Computer Examiner –
http://www.certified-computer-examiner.com/index.html • More
– Google search “computer forensics” • Books
– Plenty!
Preparation
What to Do Before You Start
Build a Response Team
• Cover all bases
– Legal, Technical, Law Enforcement, PR • Attorney or Legal Advisor
• Strong “Geek”
– Vast knowledge required
• School Law Enforcement Person,
Local Police
Incident Response Plan
• Response plan
– Who is called?
– How others are notified?
• Clear process
– Who has responsibility for what?
– Decision Points
• Policy issue / Legal issue
• Coordinate with law enforcement
Someone Must
Know Your Hardware & Software
• Servers• Workstations
• PDAs
• CD-ROM, CD/DVD
• Webcams
• Modems
• Key Loggers
• USB Devices • Wireless
• Windows
– 9x, 2000, 2003, XP
• Unix/Linux
• OS X
• DOS
• FAT
• NTFS
Someone Must Know
Auditing and Logging
• Know where OS keep logs • Know kinds of OS logs
– Windows
•Event viewer
•Auditing
• Date and time of device
• Date and time of log entries
Will this End Up in Court?
• Assume your case will!
• Courts require ample unaltered
evidence
• Evidence must be processed properly • Specially trained team should always
Main Emphasis of Forensics
• Identify the Evidence
• Determine how to preserve the
evidence
• Extract, process, and interpret the
evidence
• Ensure that the evidence is
Evidence
• Computer evidence is fragile
• Courts know that digital evidence is
easily planted/altered
• You must be able to show that
evidence is pristine and unmodified!
Evidence
• Can include any form of electronic data • Can include devices
– Computers – CD-ROMs – Floppies
– Cellular Telephones
– Pagers
Rules
• More latitude in schools/businesses
– Internal processes
– Governed by policy documents
– Expectation of privacy
• Law enforcement works under more
restrictive rules
– Subpoenas & search warrants
– Chain of command
What to “Prosecute”?
• Harm inflicted?
• Violation of Written Policy? • Policy communicated to
teacher/student/parents?
• Investigation conducted by trained
personnel?
Problem in
School Systems
• Security and Forensics projects don’t
generate revenue
– Or FTEs
• Hard to get “higher up” to understand need
– Until superintendent and board picture is in the paper
Training
• Training team is essential • They need to
– Learn basic procedures
– Gain expertise in technical areas • Sufficient Personal Interest?
End User Training
• Users need to be aware
– School System Policies
– Requirements to guard information
– Laws
– Awareness Illegal Activities
– Social Engineering
– Spyware
Do It Right!
• Photograph system scene
• Take Notes (two present)
• Get the basics
– System Model/SN
– HD model and SN
– System Date/Time
– Bios BOOT info
• Power Down (pull plug)
Evidence Gathering
• Have secure-erased drives ready • Get Suspect Drive Image
– Attach a write-blocker
– Get two or more images of the drive
• Seal original drive
– Place a copy of the drive back in the PC
(if appropriate)
Preparing an Evidence Drive
Preparing an Evidence Drive
• Use large drives • Have several
• Secure-erase all drives
– Record date, time, and method
• Store in locked area
• Software to Secure Erase?
– Helix
– WinHex Pro
Prepare Evidence Drive
–
Connect to Analysis PC
–
WinHex Pro
•Select Physical Media (not
Logical Drive)
•Edit / Fill Sectors / hex 00
•Will take several minutes
Image Options
• Boot suspect PC with Helix – Easiest for laptops
• Attach USB evidence drive
Image Options
• Remove HD from Suspect, place as
Slave in Analysis PC – Use Write Blocker
• Remove HD from PC, place in USB Case
– Use Write Blocker
Image Options
• Get image
– Multiple copies • Image Type
– Drive to Drive
Sources for Write Blockers
• www.digitalintelligence.com • www.blackbagtech.com
Other Image Options
• Use USB Evidence Drive
– Boot PC with Knoppix or Helix CD
– Open terminal window
– dd if=/dev/hda of=/dev/sda
– Speed: 1 hour per GB
– Boot PC with Helix CD
– Open terminal window
– Dcfldd if=/dev/hda of=/dev/sda
Other Image Options
– GHOST!
•Boot with BartPE CD
– Open command window – Ghost32 –ir –fnf
– (Image Raw, No Fingerprint) – Speed: 2 min per GB
– GHOST!
•Version 7.5 or later
•Boot with Ghost Floppy
What is the Hash?
• Used to verify that image is accurate • MD5 suspect drive or partition
• MD5 image
Extracting
Analysis
• Work on Image, not Original • Time Consuming!
• Tools Allow
– Finding deleted files
•Images
•IE cache
– Searching for text (“drugs”, etc.) – Show Hidden Files
Definitions
• Unallocated Space
– Space never used on a hard drive
– Space made available by deleted files • Slack Space
1. Examine Suspect HD
• Boot Suspect PC with Helix • Hidden Drive? (QTPARTED) • Browse with File Manager
– See images, open documents – See hidden partition
• Use Retriever
1a. Examine USB Evidence
Drive Image in Windows
• Use Windows Disk Management MMC
to look at Partition
• MyComputer
• Search
• Wrong Extension? • Encrypted?
• MS TweakUI
2. Find Images
• (Not Deleted) • ExifPro
3. Find Deleted Files
4. Examine in Windows
• Examine PC with Helix Windows
– System Information
• Drive letter discrepancy?
– Incident Response
• Windows Forensics Toolchest • Security Reports
• (others want NetCat)
– Scan for Images
• (no path information)
– Windows Search (for files)
WinHex
• Open .dd file • Specialist
– Interpret file as disk
• View all .jpg’s in file system
– Tools, Disk Tools, Explore Recursively – You can add path column
WinHex
• Find .jpg’s in Unallocated space
– Tools, Disk Tools, File Recovery by Type • Find text in files
– Search, Find Text (or Simultaneous
Email - Outlook Express
• Local Settings\Application
Data\Identities\…\Microsoft\Outlook Express
• OE Reader (free)
• Mail stored in .dbx files
Passwords and Encryption
• NTPassword
– http://home.eunet.no/pnordahl/ntpas swd/
• Password Tools
– http://www.passwordportal.net/
– http://www.brothersoft.com/downloa ds/crack-password.html
Steganography and
Keystroke Logging
• Steganography – Try Steganote • Keystroke logging
Common
PRODISCOVER
•
Create Case
•
Add Image
•
Content View
– Examine Deleted Files
•Click check box on interesting file •Make comment
PRODISCOVER
• Content Search
– Search for pattern
•Drugs, sex, etc.
– Click Search Results
•Finds anything: docs and email!
PRODISCOVER
• What about files with wrong ext? – Pick Folder on Left Side
You are now…
Dangerous!
Thank you!