COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts

COMPUTER FORENSICS CAN BE MANY THINGS  Corporate or University internal investigation  FBI or (unlikely) Sheriff investigation  Computer Security Research  Post Mortem or Damage Assessment  Child Pornography  Fraud  Espionage & Treason  Corporate or University Policy Violation  Honey-pots Computer Forensics ultimately support or refute a case someone cares to make.

FORENSICS IS A FOUR STEP PROCESS  Acquisition  Identification  Evaluation  Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)

PRESENTATION – Starting at the End  Many findings will not be evaluated to be worthy of presentation as evidence.  Many findings will need to withstand rigorous examination by another expert witness.  The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.  The Chain of Custody may be challenged.

EVALUATION – What the Lawyers Do  This is what lawyers (or those concerned with the case) do. Basically, determine relevance.  Presentation of findings is key in this phase.  Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems.

IDENTIFICATION – Technical Analysis  Physical Context  Logical Context  Presentation/Use Context  Opinion to support relevance of findings  Handling and labeling of objects submitted for forensic analysis is key.  Following a documented procedure is key.

FBI List of Computer Forensic Services  Content (what type of data)  Comparison (against known data)  Transaction (sequence)  Extraction (of data)  Deleted Data Files (recovery)  Format Conversion  Keyword Searching  Password (decryption)  Limited Source Code (analysis or compare)  Storage Media (many types)

THE EVIDENCE LOCKER  Restricted Access and Low Traffic, Camera Monitored Storage.  Video Surveillance & Long Play Video Recorders  Baggies for screws and label everything!  Sign In/Out for Chain of Custody

ACQUISITION – What Are the Goals?  Track or Observe a Live Intruder?  Assess Extent of Live Intrusion?  Preserve “Evidence” for Court?  Close the Holes and Evict the Unwanted Guest?  Support for Sheriff, State Police or FBI Arrest?  Support for Court Ordered Subpoena?

GROUND ZERO – WHAT TO DO  do not start looking through files  start a journal with the date and time, keep detailed notes  unplug the system from the network if possible  do not back the system up with dump or other backup utilities  if possible without rebooting, make two byte by byte copies of the physical disk  capture network info  capture process listings and open files  capture configuration information to disk and notes  collate mail, DNS and other network service logs to support host data  capture exhaustive external TCP and UDP port scans of the host  contact security department or CERT/management/police or FBI  if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented  short-term storage  packaging/labeling  shipping

ADDITIONAL RESOURCES  RCMP Article on the Forensic Process. grc.gc.ca/tsb/pubs/bulletins/bull41_3.htmhttp:// grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm  Lance Spitzner’s Page: Forensic Analysis, Building Honeypots  Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts.  The Forensic Toolkit (NT).  Long Play Video Recorders.  FBI Handbook of Forensic Services.  Solaris Fingerprint Database for cryptographic comparison of system binaries.  Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. improvement/implementations/i htmlhttp:// improvement/implementations/i html

Thank you … … very much, MIT!