Computer Forensics Knowing What to Look for

1
Computer ForensicsKnowing What to Look for
2
Objectives

• Discuss what it is we are looking for in terms of
  digital evidence
• Consider sources of evidence
• Link computer forensics inquiry to tools and
  techniques
• Consider relationship to security issues

3
Scale of Task

• Needle in a haystack
• Needle in a haystack when the haystack is made of
  needles (needle-stack)
• Needle in a needle-stack in a field of
  needle-stacks

4
Nature of Task

• Not all computer security or misuse incidents
  will culminate in a full digital forensics
  investigation
• Might not be viable
• For example - prohibitive cost pragmatics of
  case probability of prosecution
• Many investigations will be non litigious (not
  going to court) but trying to identify what has
  happened
• For all tasks
• Determine how the event occurred and how it was
  able to occur
• Determine whether recovery is possible
• Evaluate how systems can be protected in future
• Not just critical systems but non critical as
  these are often weakest link
• Methodology as if investigation was a legal case
• What happens when we find something that the
  client wishes to suppress ?

5
Maintaining Continuity of Evidence

• It is important to document details of every
  piece of seized evidence to help establish its
  authenticity and initiate the chain of custody
• Numbering items, taking photographs, recording
  serial numbers, documenting who handled the
  evidence done on standard forms with additional
  notes
• Ensuring every process and procedure is
  documented in relation to the digital evidence
• Refer to ACPO guidelines for handling digital
  evidence

6
Evidence Dynamics

• Rarely do we get the chance to investigate a
  digital crime scene in its original state
• Evidence dynamics are any influences that change,
  relocate, obscure or obliterate evidence,
  regardless of intent between the time the
  evidence is transferred and the time the case is
  resolved
• Offenders, victims, first responders, digital
  evidence examiners and anyone who has access to
  digital evidence prior to its preservation can
  cause evidence dynamics

7
Errors

• Media containing digital evidence can deteriorate
  over time or when exposed to fire, water or toxic
  chemicals
• Errors can be introduced at examination stage
• Human error
• Procedural error
• Interpretational error
• Software error
• Digital examination tools can have bugs
• Defence counsel will attempt to expose these in
  order to cast reasonable doubt !

8
The Threat Matrix
Internet worms
Financial application crash
DofS attack
Privacy leak
Virus
Web services breach
Disgruntled employees
Business Impact
Application security
Access management failure
PDA/handhelds
earthquake
Wireless LANs
OS systems security
Information leak
E-mail content disclosure
Probability of Threat
9
What are we trying to do ?

• Notice when a crime has occurred
• establish corpus delicti (means, in a UK legal
  context "the body of the offence")
• Auditing processes / procedures
• Identify the crime or misuse
• Attribute the crime or instance to a person by
  uncovering compelling links between offender,
  victim and crime scene
• Can identify class characteristics or individual
  characteristics
• Analogy shoe prints
• Could identify print came from trainers
• Could identify make of trainers
• Could identify particular wear of a sole
• Could identify particular cut or break in pattern

10
Identifying Individuals in a Digital World

• Virtual and intangible space
• One of the attractions of computing is openness
  and anonymity
• However, digital trails are left
• Data held on offenders computer
• Data recorded by server or internet provider
• Make sure evidential integrity is maintained and
  you do not create your own cybertrail
• Can we make use of profiling do they always
  attack in the same way
• Example offensive e-mail
• Data on senders hard drive, including original
  message
• Information on web server such as access logs,
  e-mail logs, IP addresses, browser version and
  possibly the sent message
• Ties the PC if not the person to the incident
• Example see Traces of Guilt Barrett (2004)

11
Starting to Investigate

• Duplicate image of all sources of digital data
• Recover data that has been deleted, hidden,
  camouflaged or otherwise unavailable for viewing
  using the resident operating system aim is to
  obtain complete data timeline
• Begin the harvesting stage gather data and
  meta data (data about data)
• This is when actual reasoned scrutiny begins,
  facts begin to take shape that support or falsify
  hypotheses
• Investigations should be done with no interaction
  with the user or potential suspect

12
Locating Evidence - Physical

• Not all evidence in computer forensics comes from
  computers
• Room and desk
• Printers and other peripherals,
• Monitors and keyboards,
• Telephone
• Wallets and clothing (pockets etc),
• Rubbish bins
• Hard drives
• It is possible to recover information from a
  "deleted" hard drive
• FDISK, FORMAT and defrag do not remove anything
  except the root directories
• Everything else is left on the hard drive and can
  be recovered using Computer Forensics tools

13
Locating Evidence - Digital

• Volatile
• Programmes available to capture RAM
• Non-volatile
• Registry
• Malware footprints
• Files, file types and directories (for example
  FAT and NTFS) hiding information in MFT /
  alternative data streams (ADS) (hidden data
  attribute)
• e-mail accounts and e-mail headers
• Cookies
• Internet histories
• Changes to BIOS etc

14
What to Look for - examples

• Look at Trojans often used as Trojan Defence
• Look in detail at what Trojan could have done and
  map against other digital evidence
• Essential and non-essential data
• Essential data you can trust cant be easily
  changed
• Non-essential data that can be changed such as
  time/date stamp, permissions, access rights etc
• Attempts to cover tracks often found through
  conflicting evidence,
• consistency checks attribute type IDs, for
  example data attribute has a type ID of 128
• checksums, hex values anticipated appropriate
  values
• dates out of synch home machine and network
  server
• conflicts between creation time and last written
  time
• File extension for example .JPG or .GIF but
  also .doc which dont look right in terms of size

15
Summary

• There is a potentially a huge area where
  digital evidence and other data for computer
  forensics can be obtained from
• Knowing the question we are trying to solve will
  help set the framework for the evidence we are
  looking for
• Evidential integrity and evidential continuity
  must be maintained in our searching
• Professional responsibility and accountability
  must be taken into account