Effective Discovery Techniques In Computer Crime Cases

Introduction

Storm’s Edge Technologies  IT Consulting Company servicing the Dallas/Fort worth area.  Services  PC Support and Custom Built PCs  Server Support and Custom Built Server  Network Support  Firewall Support  Web Site Development/Hosting  Custom Application Development  Computer Forensics  Disaster/Data Recovery Services

Contact Information Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX Phone: Fax: Web:

Forensic Process

Overview Image Hard Drive Process Forensic Image Discovery Procedures Analyze Forensic Image Document Findings Forensic Process

Stage of the Forensic Process Document & Photograph Connect Drive to Write Block Connect PC to Write Block Create Forensic Image Secure Original Evidence Drive Allocate 1 Day Image Hard Drive

Stage of the Forensic Process Update Forensic PC Windows & Anti-Virus Forensic Software Select Forensic Software Encase Forensic Tool Kit Etc… Start the processing Allocate 2-3 Days for each Drive Process Forensic Image

Stage of the Forensic Process Obtain Forensic Reports Review Case Documents Determine Search Terms Develop Analysis Strategy Allocate at least 1 Week Discovery Procedures

Stage of the Forensic Process Analyze Registry Hives Determine Operating System Determine Time Zone of PC Determine Users of PC Analyze Event Logs Perform Search of Terms Allocate at least 1 Week Analyze Forensic Image

Stage of the Forensic Process Generate Registry Reports Operating System Time Zone Users Etc… Generate Event Log Reports Usage Patterns Time Changes Generate Search Term Results Allow 2-4 Days Document Findings

Forensic Timeline 1 Day - Image Hard Drive 2-3 Days - Process Forensic Image 1 Week - Discovery Procedures 1 Week - Analyze Forensic Image 2-4 Days - Document Findings Note: Timeline is based on a single average PC with a 250GB Drive Forensic Process - 21 Days

Computers or Spies?  What can we determine from a PC  Users Passwords  Web-Sites viewed  Documents opened  Pictures viewed  Age of PC  Last Reboot Time  What files have been accessed, deleted, modified, etc…

Computers or Spies?  What can we determine from a PC  Who created the document  When documents were printed  What software created the document  What devices where used  Who has used the PC  What software has recently be used  When the OS was installed  The possibilities too numerous to list!

Integrating the PC  Registry Files contain an abundant amount of information to include  Usernames/Passwords for , websites, and programs  Internet Sites visited along with date/times  Search Terms used on Google and other search engines.  Recent file activity/access  List of software installed

Integrating the PC  Registry Files contain an abundant amount of information to include  Screen Saver required Password  User Logon Required or Not  Date Windows was Installed  Date each user last logged on.  Etc…

Integrating the PC  PC Event Logs can provide some insight into the use of a PC  Change in System Time  Boot/Startup Times  Problems with drivers & devices  Because the event logs generally cover a time period of several months they can provide a good history of activity.

Other Files  INI files are used by programs to store information/configuration.  Plain Text  Safe for Export  LNK (Short Cut) files will often provide insight to the users programs  Start Menu will give you a list of the common program they run/access.

Alibi with a PC  Establish who was using the PC  UserID/Password  Screen Saver w/Password  User Specific knowledge like logging into MySpace web-site.  Establish PC has the correct time  Check BIOS date vs. windows date  Check Event Log for time sync events

Alibi with a PC  Determine Activity and Time  File Dates (Creation, Access, Modified)  Web-Site Activity  Activity  Printer Activity

Classified/Sensitive Data  How to perform a Forensic Analysis when you can not possess the data.  Identify who has secured the evidence  Determine local policies in providing access  Process the Forensic Image files  Review any Sensitive Data on-site  Generate Report  Extract non-sensitive files for processing in your own forensic lab.  Request a review and copy of the report to ensure no classified/sensitive data is exported.

Extracting Non-Sensitive Files  Files to Extract for later processing  Registry Files  Event Logs  INI Files  LNK Files  Access Database of all files  FTK will create this as part of its normal processing of the Forensic Image Files.  EnCase will need to export a CSV file.

What is …  Slack Space – The area between the end of the file and the end of the cluster.  Free Space – The area available to store data including areas where files were stored but have been deleted.  Unallocated Space – The area of a device that is not covered by a partition. This would include any deleted partitions.  Swap File – File used to cache memory to the hard drive  Hibernation File – File used to store memory to the hard drive when hibernating

How Do I?  Prove a USB Key was used on a PC  Prove an Image was viewed  Recover Deleted Files  Determine if a user has opened a file  Prove a file was copied/moved  Find out when a file was deleted  Demonstrate a PC was used remotely  Show who created a file  Etc…..

Open Questions

Storm’s Edge Technologies Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX Phone: Fax: Web: