Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki
Forensics Forensics – What is it? Main concerns –Investigating and analyzing computer systems used in violation of laws –Investigating computer systems for compliance with company policies –Investigating computers systems that have been attacked. (part of incident response)
Forensics and Laws Forensics deals with legal concerns more than most other IT related duties. Evidence must be collected if you want to take legal action. Computers and networks is troubling with evidence as it is hard to “sense” and hard to prove. In fact it’s generally considered “hearsay” evidence
Random Thought Unlike many other areas of security which can mix and match. Forensics should always be done by a dedicated forensics person. Forensics is a structured PROCESS for data and evidence collection and should always be done by someone who specifically focuses on these processes and proceedures
Standards for Evidence For evidence to be considered credible it generally must be –Sufficient – convincing on it’s own –Competent – legally allowed and “reliable” –Relevant – must be material to the case and have bearing on the matter in question (more)
Types of Evidence Some evidence is “stronger” than others. There are a few types of evidence Direct Evidence - supports the truth of an assertion – example a witness who testifies they were present with and saw when a hacker broke into something. Circumstantial Evidence – indirectly proves a fact, may back up another fact that is used to prove an something. Real Evidence – tangible evidence that proves or disproves a fact. (ex fingerprints) (more)
Types of Evidence –Documentary Evidence – printouts, manuals, records etc. Most type of computer evidence is of this type –Demonstrative Evidence – a model or display used to aid the jury in understanding that an event occurred.
3 rules of evidence 1.Best Evidence rule – courts prefer the original evidence, rather than copies. 2.Exclusionary rule – evidence illegally seized cannot be used. If evidence is collected in violation of the Electronics Communication Privacy Act. It will be excluded… that means a company MUST have a policy and employees understand that they are being monitored if a company wants to use computer evidence against them. 3.Hearsay – hearsay is second hand evidence, not gathered from the personal knowledge of a witness. Computer generated evidence is hearsay evidence
Evidence Collection Evidence should be collected in a way that is reliable and doesn’t compromise the evidence itself! Sometimes when you notice a break in you have to weigh the costs of “stopping” the activity (turning off server) against keeping it running? Why? Anybody? (more)
Evidence Collection Steps in collecting evidence on a machine 1.Dump system memory 2.Power down system 3.Do a bit level image of the machine, using an stand alone machine (not the machine in question) 4.Analyze the image (more)
Evidence Collection When imaging a hard drive you should make at least 3 copies The original drive AND a 1 copy of the original should be stored away The 2 nd copy should be used for file authentication The 3 rd should be the drive you analyze You should never use the tools on the computer in question, you should use a clean “forensics station” to analyze the hard drives. (why?) You should always record the checksums of all the files on the computer before analysis (do example). See related next slide (tripwire) (more)
Tripwire screen shot
Evidence Collection Evidence should be marked when collected –Investigator, case number, date, time, location, description A log book of evidence should be maintained There should be a witness to verify evidence collection
Evidence Protection You must protect the evidence physically from damage and tampering –Protect from heat/cold –Vibration –Magnetic fields –If a device can receive electronic signals.. Shield the device
Transporting evidence Log all times someone removes evidence Be careful when transporting
Storing Evidence Store evidence in a locked away and monitored/guarded area.
Chain of Custody Once collected you must protect evidence from tampering. Chain of Custody shows who obtained evidence, where it was stored, and how had access to it. Record each item Record who collected it and where, when Description of evidence Tagged and sealed Obtain signature from anyone accepting evidence Provide signatures and seals whenever evidence is opened Provide controls against tampering while in storage
Conducting the investigation Have a formal procedure before hand! Have a professional do the analysis Take pictures before hand Use a forensics station or a live CD for analysis (what is a live CD?) Image the hard drives multiple times with a bit level method, work only on a copy Label hard drive and store in anti-static bag Before doing any analysis, do a checksum on all files and store that info. (why?) Keep a log of what you did and why, be able to explain and justify any actions taken.
File Deletion Terms When a user deletes a file, it’s not actually removed (unless using a highly secure OS) Some important terms relating to this are Free space – the space a file takes up that is still available after deletion (before something else uses it) Slack space – When file space is allocated, it is done in fixed sized blocks. A file will not actually use all this space. The unused area of a file even when in use is called the slack space. Information may be hidden in this space. (see visualization) (more)
Slack Space Hackers can hide data in the slack space to avoid detection
Chapter 20 – Review Questions Q. What is the concept of best evidence Q. When you want to do forensics on a computer, you should make a copy of the hard drive. What type of copy should you make? Q. What is the MINIMUM number of copies you should make of the original hard drive
Chapter 20 – Review Questions Q. Put these step of analysis in the correct order A.Analyze the Drive B.Power down the system C.Dump Memory D.Image the hard drive Q. Why do you run checksums/hashes on the original files before analysis? Q. Why should someone witness you as you collect the evidence? Q. What is the difference between “free space” and “slack space”