Computer Forensic

1
Computer Forensic Investigations Christopher
J. Mellen Director of Professional Services
2
Background

• 19 years of experience
• Law Enforcement, Counterintelligence, Corporate
  Investigations
• 10 years computer crime, cyber counterintelligence
  and corporate investigations
• BS Criminal Justice, MS Computer Information
  Systems
• 600 hours network and computer forensic training

3
What is computer forensics?

• Emphasis is on data preservation
• Hard drive data is preserved in image files
• Devices are used to prevent changes to evidence
• Hash values are used as fingerprints or digital
  DNA

4
Computer forensics is a science

• Discovery must be reproducible
• Rules for handling evidence must be followed
• Unique in that evidence is not used up
• Care must be taken not to contaminate data
• Date /Time stamps
• Contamination can make evidence inadmissible

5
Computer forensics has advanced dramatically over
past 20 years

• Innovation phase DOS-based analysis
• Early adoption Windows (GUI) analysis
• Late adoption Enterprise-based forensics
• Now Memory analysis vs database analysis and
  Distributed computing

6
When forensics began in the mid 80s, tools were
DOS-based

• Analysts read command line
• Amount of data to be analyzed was limited
• Average hard drives were small (lt100 MB)
• People used floppy disks
• Little to no formal training existed
• 1989 FLETC introduced Computer Investigative
  Specialist training program
• 1991 International Association of Computer
  Investigative Specialists organized

7
By the early 90s, the industry had taken hold

• DOS-based tools were optimized for high-speed
  searching and data reconstruction
• Hard drives were still small (lt500 MB)
• Large cases involved 100,000 files
• Increased training of law enforcement
• FBI
• FLETC
• IACIS
• NW3C

8
Case Study Fraud Investigation

• Theft from a military exchange/dept. store
• The perpetrator
• Hired to install window tint, stereos
• Would earn commission for merchandise sold
• What was he actually doing?
• Stealing stereos
• Charging customers full price
• Submitting sales to receive commission
• Using his girlfriend who worked in accounting

9
How did he get caught?

• The girlfriend reported him to her manager
• We seized 5 computers and 100s of floppy disks
• A single disk contained a deleted spreadsheet
  containing the actual numbers
• Over 1 million identified

10
In the late 90s, GUI forensics tools changed the
game

• Made computer forensics faster, more efficient
• Increased use of computer forensics in
  investigations
• More state and local law enforcement became
  involved and assumed leadership roles

11
Although I think reading binary is fun.
12
graphical tools are easier to use
13
Case Study

• Case Study -Murder Investigation
• Cheating spouse
• Husband kills wife and shoots boyfriend
• Windows temporary Internet files
• Automated tool (graphical) able to preview system
  quickly
• Date stamp analysis showed SUBJECT, map quested
  direction to the victims residence one week prior

14
As computer networks grew, forensics experts
needed more sophisticated ways to retrieve data
that had been shared
15
By 2005, enterprise-based forensics tools were
being used

• Computer forensics had become mainstream
• Significant growth in tools, training, education
• Average hard drive was 40-100 GBs
• Investigations involved multiple computers
• Standard investigations involved 5 computers
• Larger investigations involved networks of 50

16
Case Study Classified Data Spillage

• Classified document accidentally introduced into
  an unclassified computer
• E-mailed to several people
• Using enterprise-class tool, we were able to
  search for and remediate the document
• A single examiner
• Hundreds of Machines search from a single
  location

17
Today, data sources continue to grow

• Some PCs have a terabyte of data
• Investigations involve 25 electronic devices
• PDAs
• USB thumb drives
• Digital cameras
• Removable media stores GBs of data
• Large cases will involve over 100 million files
• A single PC will take 5 days to process

18
Increased data storage will be key issue going
forward

• How long will it take to process a terabyte on
  one PC?
• At 10Meg per second, it would take an entire day
  to run a key-word search
• Processing with a single computer from memory
  will not suffice
• Flat databases are becoming obsolete

19
Increased use of distributed computing and
database analysis is the future
20
In the future, distributed computing will
automate hard drive processing

• Forensics tools for the lab will be built on
  relational database technology to process massive
  amounts of data
• Microsoft SQL
• Oracle
• Distributed Computing will be required to process
  the data quickly

21
Case Study Computer Forensic Incident Response

• Seven Geographic Locations
• 200 Separate Domains
• 100,000 workstation and servers
• Structured Data sources
• Email (Notes and Exchange)
• Sharepoint
• Databases

22
Conclusion

• Where we were..
• Where we are now
• How it effects you?
• Expertise
• Information Sharing