The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP AppSec Washington DC 2009 Digital Forensics Worry about data loss Motashim Al Razi OWASP member

2 What is Digital Forensics? Branch of forensic science – uses scientific method The preservation, recovery, analysis and reporting of digital artifacts including information stored on: - Computer/laptop systems (hard drives) - Storage media (USBs, CDs, DVDs, cameras, etc.) - Mobile phones - Electronic documents Typically used reactively, move toward proactive - Reactive: court cases, incident response - Proactive: mobile app security audits, continuous forensic monitoring

Storage Devices There are 3 main types of storage devices used today: 1. Hard-disk drive (HDD) – Contains a spinning magnetic drive used to store non-volatile data. 2. Solid-state drive (SSD) – Contains internal microchips for the purpose of storing non-volatile data. 3. NAND Flash memory  Typically found in smart phones, USB thumb drivers and other portable devices  Not removable like typical HDD or SSD  Very unique characteristics from standard HDD (limited writes/erase)  In constant state of change (FTL) 3

Acquisition strategies Forensics Analysts can acquire/receive data 3 different ways Backup Files - Backup files are provided from the “custodian”. This could include backup software from corporations, PST file, iTunes backup, etc. Logical Acquisition - A copy of the file system is created (i.e. tar.gz of / or recursive copy that preserves date/time) Physical Acquisition - Creates an exact digital replica of the storage medium - Can recover deleted data - This process requires specialized analysis tools and techniques - Drive management firmware may still affect acquisition (FTL, bad blocks, etc.) 4

Image Verification Hash value – A calculated hex signature based on a set of data. - A hash value can be used to verify forensic image integrity. One slight change in source will cause “avalanche” effect in hash value - In order to prove that two data sets are identical, their hash values must match. - In some instances, hash values are not stable (NAND Flash) so a hash of the data as it’s extracted is taken but won’t necessarily match if source is imaged again. Common hash techniques - mad5 (128-bit value) - Sha256 (256-bit value) md5 of “Andrew Hoog” = 9bdbad9aecd74fce6e6bb48ee18100b8 5

6

7

How to acquire a forensic image If possible, connect drive to a physical write blocker - This prevents any writes to the drive - There are software techniques but not as effective - Generally, impossible with NAND Flash devices Forensically acquire device with software - Open source: dd, dcfldd and dc3dd - Free: FTK imager and many others - Commercial: FTK, EnCase, etc. Perform verification of source and image with hash signature and record in Chain of Custody. 8

Digital evidence What Constitutes Digital Evidence? –Any information being subject to human intervention or not, that can be extracted from a computer. –Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. Computer Forensics Examples –Recovering thousands of deleted s –Performing investigation post employment termination –Recovering evidence post formatting hard drive –Performing investigation after multiple users had taken over the system 9

Reasons For Evidence Wide range of computer crimes and misuses –Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: Theft of trade secrets Fraud Extortion Industrial espionage Position of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Forgery Perjury 10

Reasons For Evidence (cont) Computer related crime and violations include a range of activities including: –Business Environment: Theft of or destruction of intellectual property Unauthorized activity Tracking internet browsing habits Reconstructing Events Inferring intentions Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy 11

Who Uses Computer Forensics? Criminal Prosecutors –Rely on evidence obtained from a computer to prosecute suspects and use as evidence Civil Litigations –Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies and Banking sector –Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) –When an entity is compromised and CHD has been stolen then the entity must be investigated by an authorized forensic company. (Commonly referred to as a QIRA or QFI) Private Corporations –Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases Law Enforcement Officials –Rely on computer forensics to backup search warrants and post-seizure handling Individual/Private Citizens –Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment 12

How do computer forensics relate to Law enforcement? 13 ControllerDetection centreCyber police Computer forensics lab Magistrate court for civil offence and high court for criminal offence.

Case Study Banking Industry Executive Level Financial Fraud Case Study – Digital Forensics Case Type – Internal Corporate Fraud Environment – Complex Multi-Location Network and Desktop computer forensics Industry – Banking 14

Scenario: A large accounting firm was hired to audit certain activities related to loans to individuals on the Board of Directors of a medium size, publicly traded bank (the “Bank”). During the Audit, the auditors needed to examine several computer systems used by certain Bank employees as well as by certain Board Members. digital forensic examiners were immediately dispatched and sent in to arrange for the forensic analysis of the computer systems and to search for corroborating evidence in support of the audit team’s suspicions and findings. The systems analysts forensically analyzed included laptop computers issued to managers in the loan origination department, desktop systems used by managers and board members. (Exchange) servers as well as Voic Systems were examined 15

Existing law for digital forensics in Bangladesh There is a specific version in ICT act th chapter, part-2 No. 68: Cyber tribunal Implementation, criminal investigation, trial, Appeal etc. Part-3, No. 82: Cyber Appeal tribunal. 16

International Guideline National Institute of Science and Technology – NIST Association of Chief Police Officers – ACPO (UK) It is a major part of IS auditing. 17

Summary & Conclusion