Digital Forensics

1
Digital Forensics

• Christopher Schwartz
• CS 4821, Spring 2006

2
You might be thinking

• Why is the practice of Digital Forensics
  important?
• What does Digital Forensics entail?
• What kind of tools are used by intruders and how
  can we beat them?
• What is the current state of Digital Forensics
  and where is the field going?

3
Digital Forensics

• Is important because
• Using good forensics techniques gives us better
  knowledge of how intruders operate.
• We gain a better understanding of how to secure
  our systems.
• An airtight digital forensic case can result in
  conviction of a digital thief.
• We can better interface with lawmakers to
  implement new policy.

4
Digital Forensics

• The digital analog of Forensic Investigation
  (think CSI )
• It involves
• A quarantine of the affected area or systems
• Investigating what happened
• live using software that existed on system or
  dead using no software on the system 8.
• Freezing logs, system state, capturing network
  traffic.
• Preventing future occurrences
• Patching vulnerable systems, changing security
  policy

5
Digital Forensics is like CSI

• Grissom et al arrive on scene
• Crime scene has been taped off
• Crime scene is then examined before evidence
  gathered
• Evidence is gathered
• Evidence is analyzed in the lab
• Case solved or further investigation ensues.

6
But due to the nature of digital intrusions

• Things arent as cut-and-dry in real-life.
• It is difficult to completely tape-off or
  determine the scope of a digital crime scene.
• The evidence may be obfuscated or unclear.
• Evidence is often analyzed as soon as it is
  identified.
• You may not have the proper tools or knowledge to
  recognize evidence.
• Evidence is generally time-sensitive and could
  change over the course of the investigation.
• Cases are rarely open-and-shut. Most convictions
  are from air-tight cases and many intruders
  simply arent caught.
• Currently, dead forensics carry more weight than
  live forensics in courts.

7
The goal of the intruder

• Gain access to system.
• Steal your data or do harm to your system.
• Install backdoor, or phone home service.
• Hide or destroy evidence that the intruder was
  there.

8
Evidence Concealment

• Rootkit The set of an intruders modifications
  to a host OS which facilitate re-entry and
  concealment of the intruders activities 8.
• Three primary types 4
• 1st generation rootkits replaced system files
  (detectable by TripWire).
• 2nd generation rootkits altered programs loaded
  into M (detectable by VICE).
• 3rd generation rootkits, such as the FU Rootkit
  3, patch the kernel and make it difficult to
  detect/establish a baseline for detection.
• Rootkits that sit below the kernel are being
  developed that take advantage of Intel
  architecture 4.

9
Rootkit Functionality
(Image used from 8 without permission from the
author)
10
Responding to an intrusion

• Steps involved in the forensics of digital
  intrusions
• Identify and contain the threat.
• Quarantine by freezing logs and attempt to store
  system state or isolate affected systems.
• Analyze the damage done by intruder.
• Determine a course of action.
• Shut down system, diagnose problem, patch
• Fix system while it is running

11
Roadblocks

• Cant always halt compromised systems or take
  them offline.
• e-Commerce, Banking, Power Grid etc.
• Tools for analysis may be compromised!
• UNIX utilities may be replaced by fake versions.
• Intruders may overwrite kernel to provide false
  information to system calls or alter libraries.
• Covert channel techniques are also used to fool
  investigators.

12
Overcoming the roadblocks

• Follow an established procedure to address
  security breaches.
• Document all findings, including the tools used
  to diagnose and fix the problem in a standardized
  way.
• Use multiple toolsets to get the best picture of
  the harm done.
• Standards are being developed by the Digital
  Forensics Research Workshop www.dfrws.org.

13
Digital Forensics Toolkit

• Live CDs - F.I.R.E., Knoppix STD
• Ethereal, Snort, IPaudit, Cisco Netflow
• Nmap, Nessus
• Netfilter / iptables (stateful packet-filtering
  firewall)
• Paros (web-app exploit test suite)

14
Expert Advice

• Frank Adelstein Author of the OnLine Digital
  Forensic Tool says there are three key things to
  consider in a Live Forensic Analysis 9.
• Run known good binaries.
• Hash all evidence (MD5, SHA-1).
• Gather Data in order of volatility (sensitivity).

15
Expert Advice

• It is important to prepare a network as a source
  of evidence-Eoghan Casey 1
• Ensure that logs are as complete as possible so
  they do not hinder the investigation.

16
Digital Forensics Tips

• Verify that the tools you are using are
  authentic.
• Verify checksums/hashes and run tools from a CD
  you know is not compromised.
• When performing live analysis on a
  feared-compromised system, mount a CD of trusted
  tools, such as F.I.R.E. or KnoppixSTD, directly.
• Use calls directly to instructions and bypass
  system calls or libraries that may be
  compromised.
• Utilize bleeding edge tools like MemParser to
  bypass and detect current rootkits like Hacker
  Defender 7.

17
Building the case

• It is essential to the digital investigation to
  be able to prove a link between intruder and
  compromised hosts on the network.

18
eTrust Network Forensics with Netflow
(Image taken from 1 without permission from
author)
19
A good attack relationship
Eoghan Caseys Intrusion Timeline 1
20
Conclusions

• Digital Forensics standards of practice are being
  developed and will hopefully be adopted by many.
• Use reliable and current tools in investigations.
• Document, document, document.
• Digital Forensics is a tug-of-war between digital
  investigators and anti-forensics researchers.

21
Questions
22
References

• 1 Eoghan Casey. Investigating sophisticated
  security breaches. Communications of the ACM.
  http//webapps.d.umn.edu2295/10.1145/1120000/1113
  068/p48-casey.html?key11113068key25451343411co
  llportaldlACMCFID68206743CFTOKEN8585321
• 2 Digital Forensics Research Workshop.
  http//www.dfrws.org/
• 3 FU Rootkit homepage. http//www.rootkit.com
• 4 Raising The Bar For Windows Rootkit
  Detection. http//www.phrack.org/show.php?p63a
  8
• 5 Mick Bauer. Paranoid penguin seven top
  security tools. http//webapps.d.umn.edu2295/10.1
  145/970000/966080/7235.html?key1966080key262723
  43411collportaldlACMCFID68206743CFTOKEN858
  5321
• 6 Forensic Incidence Response Environment
  Homepage. http//fire.dmzs.com/
• 7 Chris Betz. Overview of memparser Analysis
  Tool. http//www.dfrws.org/2005/challenge/memparse
  r.html
• 8 Brian D. Carrier. Risks of Live Digital
  Forensic Analysis. http//webapps.d.umn.edu2295/1
  0.1145/1120000/1113069/p56-carrier.pdf?key1111306
  9key23691343411collportaldlACMCFID68206743
  CFTOKEN8585321
• 9 Frank Adelstein. Next-generation cyber
  forensics Live forensics diagnosing your system
  without killing it first. http//webapps.d.umn.edu
  2157/ft_gateway.cfm?id1113070typepdfcollport
  aldlACMCFID68206743CFTOKEN8585321