Computer Forensics,
The Investigators Persepective
Paul T. Mobley Sr. ([email protected]) Computer Forensics Consultant
What is Computer Forensics?
Computer Forensics can be defined simply, as a process of applying scientific and
analytical techiniques to computer
Operating Systems and File Structures in determining the potential for Legal
Overview of Presentation
• Why is Evidence identification and Preservation required?
• Who benefits from Computer Forensics? • General Types of Forensic Examinations
requested.
• Process of Forensics. • Tools of the trade.
Why is Evidence important?
• In the legal world, Evidence is EVERYTHING.
Who needs Computer Forensics?
• The Vicitm!
• Law Enforcement • Insurance Carriers
Who are the Victims?
•Private Business •Government
• ID the perpetrator.
• ID the method/vulnerability of the
network that allowed the perpetrator to gain access into the system.
• Conduct a damage assessment of the victimized network.
• Preserve the Evidence for Judicial action.
Types of Forensic Requests
• Intrusion Analysis • Damage Assement • Suspect Examination • Tool Analysis
Intrusion Analysis
• Who gained entry? • What did they do?
• When did this happen? • Where did they go?
Damage Assesment
• What was available for the intruder to see? • What did he take?
File Recovery
• Deleted Files • Hidden Files • Slack Space • Bad Blocks
• Steganography • X-Drives
NTFS Streams
The Forensic ToolKit 1.4 from NT OBJECTives, Inc.
Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved
AFind - File access time finder
SFind - Hidden data streams finder
Tool Analysis
• What tools were used? • How were the executed?
Log File Analysis
• Events.
• What Events are monitored?
• What do the event records reveal? • Firewall/Router/Server log files? • TripWire Database?
Evidence Search
• Image Files
• Software applications • Deleted Files
• Hidden Files • Encrypted Files • Hidden partitions • Keyword Search
Forensics Process
• Preparation • Protection • Imaging
• Examination
Preparation
• Confirm the authority to conduct analysis/search of
media.
• Verify the purpose of the analysis and the clearly defined
desired results.
• Ensure that sterile media is available and utilized for imaging. (ie..Free of virus, Non-essential files, and verified before use.)
• Ensure that all software tools utilized for the analysis are tested and widely accepted for use in the forensics
Legal Overview
Employer Searches in Private-Sector Workplaces Warrantless workplace searches by private
employers rarely violate the Fourth Amendment. So long as the employer is not acting as an instrument or agent of the Government at the time of the search, the search is a private search and the Fourth Amendment does not
apply. See Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 614 (1989).
Protection
• Protect the integrity of the evidence. Maintain control until final disposition. • Prior to Booting target computer,
DISCONNECT HDD and verify CMOS. • When Booting a machine for Analysis,
Imaging
• Utilize disk “imaging” software to make an exact image of the target media. Verify the image.
• When conducting an analysis of target media, utilize the restored image of the
Examination
• The Operating System • Services
• Applications/processes • Hardware
• LOGFILES!
Examination Continued
• Deleted/Hidden Files/NTFS Streams • Software
• Encryption Software
• Published Shares/Permissions • Password Files
• SIDS
Off-Site Storage
• “X-Drives” • FTP Links • FTP Logs
Security Identifers
•SIDS can be used to ID the perpetrator.
SID Structure
• Domain Identifier: All values in the series, excluding the last value ID the Domain.
• Relative Identifier (RID) is the last value. This ID’S the Account or Group
Documentation
• Document EVERYTHING
• Reason for Examination • “The Scene”
• Utilize Screen Capture/Copy Suspected files
Closing
• Forensic Techniques are based on the File System of the media to be examined
• Utilizing an NTFS partition enhances
security. If further increases the Forensic examiners chances of recovering useful evidence.
