 Known by many names  forensic analysis  electronic discovery  electronic evidence discovery  digital discovery  data recovery  data discovery  computer analysis  computer examination

 Computer Forensics is the process of methodically examining computer media for evidence  The collection, preservation, analysis, and presentation of computer-related evidence  Much more than the recovery of data ▪ The goal of recovering data is retrieve lost data ▪ The goal of forensics is to retrieve AND interpret as much information about it as possible

 Computer Crime  Computers can be involved in a wide variety of crimes ▪ murder, terrorism, counterintelligence, economic espionage, counterfeiting, drug trafficking, and sexual exploitation ▪ Other?

 Computer Crime (cont.)  A computer can play one of three roles in a computer crime (sometimes combined) ▪ Target of the crime ▪ Instrument of the crime ▪ evidence repository, storing information about the crime  Knowing what role a computer played in a computer crime will help tailor the analysis to that particular role

 Computer Forensic Objective  To recover, analyze, and present computer-based material in such a was that it is usable as evidence in a court of law.  Computer Forensic Priority  Primarily concerned with forensic procedures, rules of evidence, and legal processes  Secondarily concerned with computers  ACCURACY is the absolute priority

 Computer Forensics Specialist  Must take several careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system ▪ Protect the subject computer during the forensic examination from any possible alteration, damage, or data corruption ▪ Discover all files on the subject system. ▪ Recover all (or as much as possible) discovered deleted files

 Computer Forensics Specialist ▪ Reveal the contents of hidden files as well as temporary or swap files ▪ Access (if possible and legally appropriate) the contents of protected or encrypted files ▪ Analyze all possibly relevant data found in special areas of a disk (unallocated space, slack space, HPA, etc.) ▪ Print out an overall analysis of the subject system ▪ Provide an opinion of the system layout, file structures, discovered data, attempts to hide or delete data, attempts to protect or encrypt data, and anything else relevant

 Computer Forensics Specialist ▪ Provide expert consultation and/or testimony

 Electronic evidence can be very expensive to collect  Processes are strict and exhaustive  Systems affected may be unavailable for regular use for long periods of time  Analysis of data collected must be performed, which can take a very long time

 Two reasons to collect evidence  Future Prevention ▪ If you don’t know what happened, you won’t be able to stop someone from doing it again ▪ Cost of collection may be high, but repeated compromise will almost certainly be higher

 Two reasons to collect evidence (cont.)  Responsibility ▪ Two parties in after an attack: attacker and victim ▪ Attacker is responsible for the damage done  Only adequate evidence will prove the attacker’s actions and bring them to justice ▪ Victim is responsible to the community  Information gathered after a compromise can be examined and used by others to prevent further attacks  May also have a legal requirement to perform analysis  e.g. If the attack was part of a larger attack

 Two options  Pull system from network and begin collecting evidence ▪ May leave you with insufficient evidence ▪ Dead man switch may destroy evidence once removed from the network  Leave system online and begin monitoring for the intruder ▪ May alert intruder, causing them to destroy evidence ▪ Potential liability if attacker launches further attacks from your network  Your decision must be based on the situation

 Real evidence  Any evidence that speaks for itself without relying on anything else  Testimonial Evidence  Evidence supplied by a witness ▪ Subject to perceived reliability of the witness  Can be almost as powerful as real evidence  Hearsay  Evidence presented by a person who was not a direct witness  Generally inadmissible in court  Should be avoided

 Five rules of collecting electronic evidence  Admissible  Authentic  Complete  Reliable  Believable

 Admissible  Most basic rule  Must be able to be used in court  Failure to comply with this rule is equivalent to not collecting the evidence at all

 Authentic  Must be able to show that evidence relates to the incident in a relevant way  If it can’t be positively related to the incident, it can’t be used  The integrity and chain of custody of the evidence must be intact

 Complete  Don’t just collect evidence that shows one perspective of the incident ▪ Collect evidence that can prove the attacker’s actions ▪ Collect evidence that could prove their innocence ▪ If attacker was logged in during incident, you must also show who else was logged in and why you think they didn’t do it ▪ This is called exculpatory evidence and is very important in proving a case

 Reliable  Evidence collection, examination, analysis, preservation and reporting procedures and tools must be able to replicate the same results over time  Evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity

 Believable  Evidence should be clearly understandable and believable to a jury ▪ No point presenting a binary dump of process memory if the jury has no idea what it means ▪ If evidence is presented in a formatted, human understandable version, you must be able to show the relationship to the original binary evidence otherwise the jury can be lead to think the evidence was fabricated

 G8 Principles – Procedures Relating to Digital Evidence  When dealing with digital evidence, all general forensic and procedural principles must be applied.  Upon seizing digital evidence, actions taken should not change that evidence.  When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.

 G8 Principles – Procedures Relating to Digital Evidence  All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved, and available for review.  An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.  Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

 Do’s and Don’ts  Minimize handling ▪ Once a copy is made of the original data, DON’T TOUCH IT – only handle secondary copies ▪ Remove any avenues for change  Account for any changes & keep detailed logs ▪ Sometimes evidence alteration is unavoidable ▪ Document the nature, extent, and reasons for any changes

 Do’s and Don’ts (cont.)  Comply with the Five Rules of Evidence ▪ If you don’t follow them, you’re wasting your time  Do not exceed your knowledge ▪ If you don’t understand what you are doing, you can’t account for any changes you make and you can’t describe what exactly you did ▪ Acquire knowledge before you proceed!

 Do’s and Don’ts (cont.)  Follow your local security policy ▪ If you fail to comply with your local security policy, the evidence may be inadmissible ▪ You could also end up in trouble yourself  Capture as accurate an image of the system as possible ▪ Relates to minimizing the handling (corruption?) of the original data ▪ Differences between the original system and the master copy count as changes and must be accounted for

 Do’s and Don’ts (cont.)  Be prepared to testify ▪ Without the collector of the evidence being present to validate the documents created during evidence collection process, the evidence becomes hearsay (i.e. inadmissible) ▪ If you aren’t willing to testify, stop before you start collecting evidence ▪ You will need to testify at multiple points in time – you must be able to replicate your actions to prove the same result

 Do’s and Don’ts (cont.)  Work fast ▪ The faster you work, the less likely the data is going to change ▪ Volatile evidence may vanish completely if not collected in time ▪ If multiple systems are involved, work on them in parallel ▪ Be methodical

 Do’s and Don’ts (cont.)  Proceed from volatile to persistent evidence ▪ Some electronic evidence is more volatile than others are ▪ Collect the most volatile evidence first  Don’t run any programs on the affected system ▪ Attacker may have left trojaned programs and libraries on the system ▪ What you think could be an innocent command, like “ipconfig”, may cause a system to destroy evidence ▪ If you MUST run a program on the affected system, use a known “good” copy of the program (e.g. from a cd-rom)

 Do’s and Don’ts (cont.)  Don’t shutdown before collecting evidence ▪ NEVER NEVER NEVER shutdown a system before you collect the evidence ▪ All volatile evidence will be lost ▪ Attacker may use startup/shutdown scripts to destroy evidence ▪ Temporary files may be wiped out ▪ REBOOTING IS EVEN WORSE! Never boot from the system drive again – only use copies!

 Not all evidence on a system will last very long  Some evidence resides in storage that requires constant power  Other evidence may be stored in information that is constantly changing  When collecting evidence, proceed from the most volatile to the least volatile

 To determine what evidence to collect first, prepare an order of volatility  e.g. ▪ Registers and cache ▪ Routing tables ▪ Arp cache ▪ Kernel statistics and modules ▪ Main memory ▪ Temporary system files ▪ Secondary memory ▪ Router configuration ▪ Network topology

 Identification of Evidence  Distinguish between evidence and junk data  Know what the data is, where it is located, and how it is stored  Preservation of Evidence  Preserve evidence as close as possible to its original state  Any changes made MUST be documented

 Analysis of Evidence  Extract the relevant information and recreate the chain of events  Requires in-depth knowledge of what you are looking for and how to find it  Ensure those analyzing the evidence are fully qualified

 Presentation of Evidence  Communicate the meaning of the evidence  Manner of presentation is very important  Must be understandable by a layman ▪ If a jury can’t understand the evidence, it is worthless  Must remain technically correct and credible

 Once a plan of attack is developed and the desired evidence is identified, the collection process can begin  Storage of the collected evidence is also important – it can affect how the data is perceived

 Logs and Logging  Run some type of system logging ▪ Keep logs secure ▪ Back up logs (a simple file copy should suffice) ▪ Create a HASH of the log files (MD5, SHA-1) to ensure integrity ▪ Encrypt the logs to ensure confidentiality ▪ Use a syslog server if possible ▪ Logs stored on a compromised system are at risk of being altered or destroyed by the attacker

 Monitoring  Monitoring network traffic can be useful for many reasons ▪ Gather statistics ▪ Watch for irregular activity ▪ Trace where an attack came from and what the attacker is doing

 Two basic forms of collection  Freezing the scene ▪ Take a snapshot of the system in its compromised state ▪ Ensure appropriate authorities are notified  Honeypotting ▪ Create a replica system to lure the attackers for further monitoring ▪ Sandboxing can be performed to limit what the attacker can do while still on the compromised system

 Whenever a system is compromised, there is almost always something left behind by the attacker  Code fragments  Trojaned programs  Running processes  Log files  Etc

 Basic evidence collection steps  Find the evidence  Find the relevant data  Create an order of volatility  Remove external avenuesof change  Collect the evidence  Document EVERYTHING

 Once data is collected, it must be protected from contamination  Verified duplicates should be used for analysis  Never use original evidence for analysis  Keep a chain of custody  A detailed list of what was done with the original evidence, once it was collected ▪ Who found the data ▪ When and where it was transported and by who ▪ Who had access to the data and what did they do with it  This will be questioned in legal proceedings

 Computer evidence is odd, to say the least  Any information related to an incident in physical or binary (digital) form that may be used to support or prove the facts of an incident.  Exists on computer HDs, and FDs at three difference locations, two of which are not visible to the computer user  Such evidence is fragile and can be destroyed by something as simple as normal operation of the computer  Computer evidence is frequently challenged in court

 Computer evidence (cont.)  Confusion exists over the legal classification ▪ Is it documentary evidence? ▪ Would require reams of printout under the best evidence rule ▪ It is demonstrative evidence? ▪ Would require a true-to-life sample of the reconstructed evidence  The problem of establishing the expertise of computer forensics experts also exists

 Three basic evidence rules to gain admissibility  Authentication ▪ Showing a true copy of the original  The best evidence rule ▪ evidence that most closely matches the original or real evidence. This can be original media or it may be the most forensically sound copy of the data (a bit-stream copy) available  Exceptions to the hearsay rule ▪ When a confession or business or official records are involved

 Computer evidence is fragile  Compounded by destructive programs and hidden data  Normal operations of a computer can destroy evidence ▪ unallocated space ▪ file slack ▪ swap files ▪ etc…

 Every case is different and the investigator must apply flexibility to the approach taken  Some general guidelines can be used as a template for the investigator to follow

 General guidelines  Collect volatile evidence first ▪ evidence that resides in volatile memory  Halt the computer ▪ Do NOT use the shutdown option in the OS ▪ Pull the plug from the wall ▪ This will prevent the OS from performing any cleanup tasks and shutdown scripts ▪ Be careful of whole disk encryption!

 General guidelines (cont.)  Document the hardware configuration ▪ Before dismantling the computer, take pictures of the system from all angles to document how the computer is connected ▪ Label each wire ▪ Once the case is opened take more pictures from all angles (once the system is in a secure location) ▪ Document all components ▪ Include model numbers, serial numbers, burned in addresses (MAC), etc.

 General guidelines (cont.)  Transport the computer to a secure location ▪ Ensure that a chain of custody is established ▪ It is imperative that the subject computer is treated as evidence and stored out of reach of curious users ▪ Operating a seized computer will destroy evidence and violate the chain of custody

 General guidelines (cont.)  Make a bit stream copy of the hard disk(s) ▪ Do not operate the computer to perform this step ▪ Do not perform any analysis on the original data ▪ Only perform analysis on the bit stream copy of the original data

 General guidelines (cont.)  Mathematically authenticate data on all storage devices ▪ You must prove that the original evidence was not altered ▪ Generate one-way hashes of all storage devices ▪ MD5 – 128-bit digest ▪ SHA-1 – 160-bit digest

 General guidelines (cont.)  Document the system date and time ▪ Dates and times associated with computer files are extremely important ▪ If the time is incorrect, then all file timestamps will be incorrect as well ▪ In order to account for time differences, it is essential to document system date and time at the time the computer is taken into evidence

 General guidelines (cont.)  Make a list of key search words ▪ Due to size of hard drives, it can be virtually impossible to manually view and evaluate all files ▪ Searching for specific keywords can be used to help find relevant evidence ▪ Usually some information is known about the allegations ▪ Avoid using common words

 General guidelines (cont.)  Evaluate file slack ▪ File slack is a data storage area that most computer users are unaware of ▪ File slack is a significant source of security leakage ▪ File slack can be used by the computer to store the contents of memory dumps that occur as files are closed ▪ Specialized forensic tools are required to view and evaluate file slack ▪ Search file slack for keywords

 General guidelines (cont.)  Evaluate unallocated space (erased files) ▪ Unallocated space may contain data associated with deleted files ▪ Search unallocated space for keywords

 General guidelines (cont.)  Document filenames, dates, and times ▪ From an evidence standpoint, filenames, creation timestamps, and last modified timestamps are critical ▪ Catalog all allocated and erased files ▪ Files can be sorted by timestamp to establish a timeline of usage  Can retrace an attackers actions based on what files were accessed and when

 General guidelines (cont.)  Identify file, program, and storage anomalies ▪ Encrypted, compressed, and graphic files (etc.) store data in binary format ▪ Text data stored in these formats cannot be identified by a text search program ▪ Manual evaluation is required ▪ Depending on the type of file involved, the contents should be viewed and evaluated as potential evidence ▪ Based on what files have been deleted on a system, you can potentially make inferences as to what that attacker is/was attempting to do

 General guidelines (cont.)  Document your findings ▪ Document all actions you take ▪ Document all findings and evidence that are found ▪ Include proof of licensing for whatever forensic tool is used ▪ Use of pirated software will compromise an entire case ▪ Document the software and methods used to collect evidence ▪ A digital camera and digital recorder can be useful when documenting ▪ Document EVERYTHING!

 General guidelines (cont.)  Retain copies of software used ▪ Keep a copy of the exact version of any software used to collect evidence ▪ Create a hash of any software used to collect evidence ▪ Different versions of software may produce different results ▪ You may be required to prove your results through duplication. Using the same version of the software used will aid in this