Computer Forensics

1
Computer Forensics

• The Legal Side of Incident Response
• Ioanna Kantzavelou
• Technological Educational Institution - TEI of
  Athens
• Department of Informatics
• Symposium on Innovation of Computer Science
  Curriculum in Higher Education
• February 2004

2
Outline at a Glance

• The Incident Response area
• Computer Forensics
• Definition and meaning
• Main principles
• Requirements
• Roadmap
• Conclusion and Future Work
• Resources

3
Incidents

• Incident any security relevant adverse event
  that might threaten the security of a computer
  system or a network.
• An event must have observable and recordable
  characteristics
• the connection to a system via a network,
• the file access,
• a system shutdown, etc.
• Adverse events
• system crashes,
• packet flooding within a network,
• unauthorized use of another user's account,
• defacement of a web page,
• execution of malicious code,
• floods, fires, electrical outages, etc.

4
Types of Incidents

• Most incidents point towards
• Confidentiality,
• Integrity, or
• Availability.
• Different types of incidents
• reconnaissance,
• repudiation,
• harassment,
• extortion,
• pornography trafficking,
• organized crime activity,
• subversion,
• hoaxes, etc.

5
Incident Response

• Incident Response is a new field with similar
  goals as IT Security.
• Scope to negate or minimize the impact of an
  incident, reacting by taking certain actions.
• It can be used to restore confidentiality,
  integrity, and availability.
• A particular important part of the legal side of
  incident response is the area of forensics.

6
Computer Forensics meaning

• Forensic (adj.)
• belonging to courts of law and it is used in law
  pleading.
• It relates to sciences or scientists connected
  with legal investigations.
• Forensics (n.)
• the art or study of public debate.
• Forensics
• any systematic or scientific examination of
  evidence in the investigation of a crime.
• Computer forensics
• (cyber-forensics), is the detailed examination of
  computer systems in an investigation.

7
CF scope and characteristics

• Scope The collection and search of specific data
  that will serve as acceptable evidence in a court
  of law.
• Computer Forensics deals with
• storage media (e.g. hard disks),
• the examination and analysis of network logs.
• The most repeatable and scientific process.
• An expert follows a step-by-step methodology,
  preserving the integrity of the evidence.
• This methodology does not vary substantially
  between different investigations and technologies.

8
Main Principles

• Scope To protect the investigator, the evidence,
  and the accused party and his/her rights.
• Principles regarding Ethics
• The investigator must have the authority to seize
  and search a computer.
• The search should have clearly defined goals.
• Principles regarding the process
• A set of rules eliminates the possibility of
  tampering with evidence.
• Guidelines assist the maintenance of these rules.

9
Rules to prevent tampering with evidence

• Rule 1. The examination should never be performed
  on the original media.
• Rule 2. The copy is made onto forensically
  sterile media. New media should always be used if
  available.
• Rule 3. The copy of the evidence must be an
  exact, bit-by-bit copy.
• Rule 4. The computer and the data on it must be
  protected during the acquisition of the media to
  ensure that the data is not modified.
• Rule 5. The examination must be conducted in such
  a way as to prevent any modification of the
  evidence.
• Rule 6. The chain of the custody of all evidence
  must be clearly maintained to provide an audit
  log of whom might have accessed the evidence and
  at what time.

10
CF Requirements

• An Incident Response team (Computer Incident
  Advisory Capability - CIAC, Computer Emergency
  Response Team Coordination Center - CERT/CC,
  etc.), or an individual expert.
• trained in the use of a wide range of such tools,
• clearly understand the scope of the
  investigation, and
• plan the examination step-by-step.
• Hardware
• Build a forensics machine from scratch, or
• To buy a ready-made machine from vendors.
• Software (generally accepted software tools)
• Media acquisition tools
• Searching tools
• Integrated suites

11
Roadmap

• Data Acquisition
• Examination
• Conducts technical analysis to identify objects.
• Evaluates for content as evidence.
• Determines relevance (the chain of custody
  problems).
• Results Presentation ? Evidence

12
Media Acquisition Tools

• Acquisition objectives
• the software must have an exact copy, bit-by-bit
  copy, and
• the software must not modify the original data in
  any way.
• Hardware-copying devices
• Disk-cloning software (e.g. DriveCopy,
  www.powerquest.com)
• Safeback (www.forensics-inintl.com), certifies
  that the copy is an exact, bit-by-bit copy of the
  original.

13
Searching Tools

• Searching Requirements
• A capable search tool that do not modify data.
• A careful plan on what to search for.
• File Viewers (e.g. Norton Utilities).
• Dedicated File Viewers (e.g. QuickView Plus).
• Disk Editors (e.g. Norton Disk Editor).
• Hex Editors.
• The file search capability within Windows.
• The grep utility (UNIX and Windows NT).
• Specialized search tools for law enforcement use
  to search and categorize images (pornography on
  seized systems).
• DiskSearch Pro (www.forensics-intl.com), a text
  search program.

14
Integrated Suites

• Integrated software suites provide the
  capability
• To acquire data
• To perform searches
• To produce reports
• Byte Back (www.toolsthatwork.com)
• DriveSpy (www.digitalintel.com)
• EnCase (www.guidancesoftware.com)
• Expert Witness (www.asrdata.com)

15
Data Acquisition

• The U.S. Justice Department has defined
  guidelines for search and seizure of electronic
  evidence.
• The basic rules are
• Document everything that the investigator does.
• Take all appropriate steps to ensure that the
  evidence itself is not compromised in any way
  during the acquisition.
• (cont.)

16
Data Acquisition

• Steps to preserve the evidence and provide the
  investigator with any required data
• Secure the physical area
• Shut down the system
• Secure the system
• Prepare the system
• Examine the system
• Prepare the system for acquisition
• Connect the target media
• Copy the media
• Secure the evidence

17
Examination

• Examining the evidence is not straightforward.
• Plan what items to search for.
• Narrow the search to an acceptable scope.
• Define what constitutes a successful (or
  unsuccessful) conclusion.
• Recover deleted files because data might be found
  in file fragments or file slack.
• Image files which are often highly compressed,
  are especially difficult to reconstruct.
• Certain OS might contain crucial evidence (e.g.
  the Windows Registry, event log files).

18
Limitations

• A forensics examination can, at best, identify
  the computer involved in an incident.
• Placing a specific person at that computer is
  extremely difficult without additional evidence.
• Finding evidence that a computer was used to
  access other systems, is much more difficult.
• A forensics examination that does not also
  involve other corroborating evidence source
  cannot be conclusive.
• A skilful user makes the examiners job
  difficult, if not impossible.

19
Conclusion and Future Work

• Forensics is an extremely valuable tool in the
  investigation of computer security incidents.
• Considerable legal issues arise when
  investigating computer systems.
• Intrusion Detection might support Computer
  Forensics in the future, and vice versa.

20
Resources

• Computer Crime Investigation Forensic Tools and
  Technology, edited by Eoghan Casey, Academic
  Press, 2002.
• E. Eugene Schultz and Rusell Shumway. Incident
  Response - A Strategic Guide to Handling System
  and Network Security Breaches. New Riders, 2002.
• Warren G. Kruse II and Jay G. Heiser, Computer
  Forensics Incident Response Essentials,
  Addison-Wesley, 2001.
• Mohay G., Anderson A., Collie B., Oliver de Vel,
  and McKemmish R., Computer and Intrusion
  Forensics, Computer Security Series, Artech House
  Publishers, 2003.
• Searching and Seizing Computers and Obtaining
  Electronic Evidence, U.S. Justice Department,
  www.usdoj.gov/criminal/cybercrime/searchmanual.htm
  

21
Thank you very much !