Computer Forensics - PowerPoint PPT Presentation

1 / 36

About This Presentation

Title:

Computer Forensics

Description:

Image galleries. Sophisticated search capabilities. GREP subset, sound-alike, 'fuzzy-searches' ... Search warrant executed on the residence, computer seized, ... – PowerPoint PPT presentation

Number of Views:100

Avg rating:3.0/5.0

Slides: 37

Provided by: nce5

Category:

more less

Transcript and Presenter's Notes

Title: Computer Forensics

1
Computer Forensics

Ryerson University
February 16, 2005
S/Sgt. Paul Poloz,
Royal Canadian Mounted Police

2
Current Posting

Integrated Cyber Intelligence Team
Technological Crime Branch
Technical Operations Directorate, HQ
Royal Canadian Mounted Police
Ottawa

3
Staff Sergeant Paul Poloz

Graduated from Ryerson in 1989.
Uniform and plainclothes work for 6 years on the
west coast
French language training
Peacekeeping mission in Haiti
Technological Crime Branch
Eight years experience
Computer forensics, tech crime investigations
Secondment to Ottawa Police Service
Secondment to National Child Exploitation
Investigation Coordination Centre

4
Staff Sergeant Paul Poloz

Declared expert witness in criminal court and
testified numerous times.
Lecture at the Canadian Police College and other
venues on computer forensics and tech crime
investigations.
Recently completed a part-time MBA at University
of Ottawa

5
Topics Covered

Definition of computer forensics
Brief history of computer forensics
Computer forensic methodology
Incident response
Location of evidence
Continuity
Statements
Tech crime investigations
Case study

6
Definition of Computer Forensics

Computer Forensics deals with the preservation,
identification, extraction and documentation of
computer evidence.
New Technologies Inc. (NTI) Website.
Usually performed for judicial process.
Criminal
Civil
CF usually performed on data at rest

7
History of Computer Forensics

PCs (introduction to late 1990s)
Intel CPU based PCs non-standard hardware and
software
FAT file system
Forensics done on DOS platform despite Windows OS
In- house RCMP utilities to facilitate file
residue analysis, hard disk lock, file listing,
drive duplication.
Limited searching capabilities
Multiple disk images made of original during
forensic process
Standalone forensics

8
History of Computer Forensics

Mainframes and Minis
Not much demand for forensics
Limited usage
Limited access
Forensics done on ad-hoc basis, computer experts
tasked by police

9
History of Computer Forensics

Late 1990s saw the emergence of GUI based tools
Standardized hardware
Proliferation of file systems
Internet gaining in popularity
A variety of file systems processed under one
platform
Many different vendors to choose from
The Internet, networking
Pieces of puzzle scattered

10
History of Computer Forensics

Image galleries
Sophisticated search capabilities
GREP subset, sound-alike, fuzzy-searches
Sorting, hashing (data reduction)
Report generation
Data (file system and residue) stored and
accessed as files
Data authentication (embedded hashes)
Sophisticated Scripting Languages

11
CF Present State

New technology introduced at a rapid rate. Other
technology gaining in popularity
LANs, wireless, RAID, SANs,
Remote storage technologies
OSs with default encrypted filesystems.
Huge storage capacities
Data reduction techniques
Multiprocessor architecture
Linguistic issues
unicode

12
Objectives

Ensure that not one bit of data on a hard disk is
altered.
Imaging techniques
Analyze all of the data.
Problems with large data sets
Encryption
Present the findings tailored to the intended
audience.
Unbiased
Many people involved in the judicial system have
limited knowledge of I.T.

13
File Residue

Many file systems contain file residue
Example FAT deleted, hidden, bad clusters, file
slack
Valuable evidence can be located
Wiping utilities prove to be problematic

14
Basic Forensic Process

Seize computer (may include on-site examination,
write blocker?)
Remove hard disk from CPU chassis
Image acquisition
Analysis performed using image (unless for a
quick triage)
Off-the-shelf products (SMART, Encase, FTK)
ILOOK
Linux
In-house utilities and solutions
Native O/S

15
Basic Forensic Process

Search for text (i.e. grep search)
Examine graphic images
Uncompress, undelete, decrypt, extract residue
Gather evidence
Create final report

16
Hazards of Using the Target O/S

A virus could destroy evidence.
Trojans/modified commands.
Dates associated to file may be altered.
File residue may be overwritten.
Altering evidence introduces doubt into the
integrity of the data.

17
Tainting the process

Use of untrained personnel to perform the
forensic examination.
Power-up the target computer.
Use the target computers operating system to
open files and examine data.
Install software to the target hard disk.
Improper shut-down.
Continuity issues.
Data integrity issues

18
Case Study Number 1

Hacker investigation
Investigation in 2002 of a crime committed in
1996.
Phf exploit committed by perpetrator. BSD Unix
platforms, with ISPs as victims.
Gained access to password file (but not shadow
password file).
Attempts were made to get pawwrod hashes.
Investigation involved seizing old BSD backup
tapes from 3 locations.

19
Case Study Number 1

Forensics done on Linux platform
Use of special utilities to determine tape format
Search Internet for appropriate restore software
Evidence copied to CDROM then processed on Window
platform.

20
Case Study Number 2 - Predator

IRC chat room.
Identify targets of local jurisdiction
Engage supect
Assess suspects culpability
Ascertain if offence is/ or will be commited.
Search warrant (dial-up account)
Set-up meeting and surveillance
Meet suspect and gather RPG to search residence.

21
Case Study Number 2 - Predator

Arrest suspect and hold in custody
Execute search warrant and seize exhibits
On-site examination for RPG and determine
severity of offence (evidence for Show Cause).
Process suspect.
Forensic processing at lab

22
Cyber Crime Incident Response

What is an incident?
Computer as a target
Unauthorized access
Mischief to data
Port Scans?
Computer as a tool
Threats
Hate Crime
Child Pornography
Fraud, etc

23
Incident Response

Educate users to raise security awareness
Build a centralized incident reporting centre
Establish escalation procedures
Ensure that service-level agreements include
provisions for security compliance
Decide in advance under what circumstances youd
call the police
Establish communication procedures should this
become a media event.

24
Incident Response

Is threat external or internal to company
Will event be reported to the police?
Your initial actions can make or break the case
Call police as soon as possible.
Lots of gray areas
Management may not want police involvement
Incident may be trivial
Incident may be civil

25
Incident Response

Detect incident
Analyze the incident
Contain or eradicate the problem
Provide workarounds or fixes
Prevent re-infection
Log events
Preserve evidence
Conduct post-mortem and apply lessons learned

CIO cyberthreat response reporting Guidelines
26
Incident Response

If management is undecided whether to involve
police or not
Contain incident (take affected resources
offline)
Observe and document machine state
Symptoms of incident
Unexplained processes
Etc

27
Incident Response

Preserve evidence
Log files, password file, other suspicious data
Original source (i.e. hard disk) is best evidence
but copies often used.
Photograph or screen captures
Consider hashing of preserved files.
Gather evidence from those involved
Make detailed notes of everything you do
Write report so that non-technical personnel
grasp the concepts, but be complete.

28
Documentation

Notes made at the time of the incident while it
is occurring. Record your actions as youre doing
them. The notes are for yourself but may be
disclosable.
Statement transcribe notes. Describe your
actions with respect to incident. Used to aid
investigators, and to refresh your memory. Plain
language in as much detail as possible.
Report comprehensive report of incident. May
include information derived from other sources.

29
Evidence Handling

Continuity is paramount
Must be able to convince a judge that evidence is
accurate and wasnt tampered with.
Locks and special lockers

30
Tech Crime Investigation

Distributed Denial Of Service case study.
Fictitious but entirely plausible
A Toronto based company with a web presence
experiences server performance problems. Service
degraded to the point where there is a loss of
business.
Sys-admin reviews logs and notices large amounts
of traffic from multiple IP addresses.
Police notified.
Several log entries show traffic coming from the
same IP address.

31
Tech Crime Investigation

Several IP addresses are identified by sys-admin
and police as being suspect.
Traceroute, whois, DNS look-up etc traces IP to
an ISP in Calgary.
Police contact ISP and are given Vancouver as the
geographical location of the subscriber.
Investigation continues with assistance of local
police force. A search warrant for subscriber
information is executed on the ISP.

32
Tech Crime Investigation

In compliance with the search warrant the
subscribers name, address, credit card number,
and usage history are given to police.
Surveillance and computer checks on the residence
indicates that a man and woman reside there (Male
subject is ISP subscriber).
Search warrant executed on the residence,
computer seized, occupants questioned. Occupants
deny involvement.
Forensics reveals Back Orifice Trojan on computer

33
Tech Crime Investigation

IP address responsible for Trojan is located.
Evidence linking the originator of the Trojan
with DDOS is found.
IP address is administered by an ISP in Dallas.
FBI contacted and assist with a preservation
order. FBI determines that suspect lives in
Dallas.
MLAT request initiated by local authorities.
Subscriber details obtained via MLAT and given to
Canadian authorities.

34
Tech Crime Investigation