Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September 12, 2007

Outline l Agenda for next several lectures l Review of Part 1 l Data Recovery l Evidence Collection and Data Seizure l Useful Links and discussions l Reference: Part II of Text Book: Chapters 5 and 6

Agenda for Lectures until October 8, 2007 l September 17, Chapters 7 and 8; Example programming projects l September 19, Chapters 9, 10, 11 l September 24, Guest Lecture: Richardson Police Department l September 26, Chapter 12: Network Forensics l October 1, Guest Lecture: FBI North Texas l October 3, Selected Paper Discussions l October 8, Begin Part IV of book

Review of Part 1 l Lecture 1: Introduction l Lecture 2: Fundamentals l Lecture 3: Forensics Technologies l Lecture 4: Botnets l Lecture 5: Forensics Systems l Lecture 6: Forensics Services l Lecture 7: Malicious Code Detection

Data Recovery l What Data Recovery? l Role of Backup in Data Recovery l Data Recovery Solution l Hiding and Recovering Hidden Data

What is Data Recovery l Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered l In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis

Role of Backup in Data Recovery l Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state l Challenge to backup petabyte sized databases/files l Obstacles for backing up - Backup window, network bandwidth, system throughout l Current trends - Storage cost decreasing, systems have to be online 24x7 l Next generation solutions - Multiple backup servers, optimizing storage space

Data Recovery/Backup Solution l Develop a plan/policy for backup and recovery l Develop/Hire/Outsource the appropriate expertise l Develop a system design for backup/recovery - Three tier architectures, caches, backup servers l Examine state of the art backup/recovery products and tools l Implement the backup plan according to the policy and design

Recover Hidden Data l Hidden data - Files may be deleted, but until they are overwritten, the data may remain - Data stored in diskettes and stored insider another disk l Need to get all the pieces and complete the puzzle l Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle l Reference: - ntfs ntfs

Evidence Collection and Data Seizure l What is Evidence Collection l Types of Evidence l Rules of Evidence l Volatile Evidence l Methods of Collection l Steps to Collection l Controlling Contamination

What is Evidence Collection l Collecting information from the data recovered for further analysis l Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited l Collect evidence for analysis or monitor the intruder l Obstacles - Difficult to extract patterns or useful information from the recovered data - Difficult to tie the extracted information to a person

Types of Evidence l Testimonial Evidence - Evidence supplied by a witness; subject to the perceived reliability of the witness - Word processor documents written by a witness as long as the author states that he wrote it l Hearsay - Evidence presented by a person who is not a direct witness - Word processor documents written by someone without direct knowledge of the incident

Rules of Evidence l Admissible - Evidence must be able to be used in court l Authentic - Tie the evidence positively to an incident l Complete - Evidence that can cover all perspectives l Reliable - There should be no doubt that proper procedures were used l Believable - Understandable and believable to a jury

Additional considerations l Minimize handling and corruption of original data l Account for any changes and keep detailed logs l Comply with the 5 basic rules l Do not exceed your knowledge – need to understand what you are doing l Follow the security policy established l Work fast / however need to be accurate l Proceed from volatile to persistent evidence l Do not shut down the machine before collecting evidence l Do not run programs on the affected machine

Volatile Evidence l Types - Cached data - Routing tables - Process table - Kernel statistics - Main memory l What to do next - Collect the volatile data and store in a permanent storage device

Methods of Collection l Freezing the scene - Taking a snapshot of the system and its compromised state - Recover data, extract information, analyze l Honeypotting - Create a replica system and attract the attacker for further monitoring

Steps to Collection l Find the evidence; where is it stored l Find relevant data - recovery l Create order of volatility l Remove eternal avenues of change; no tampering l Collect evidence – use tools l Good documentation of all the actions

Controlling Contamination l Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques l Maintain a chain of custody, who owns the data, data provenance techniques l Analyze the evidence - Use analysis tools to determine what happened l Analyze the log files and determine the timeline l Analyze backups using a dedicated host l Reconstruct the attack from all the information collected

Conclusion l Data must be backed up using appropriate policies, procedur4es and technologies l Once a crime ahs occurred data ahs to be recovered from the various disks and commuters l Data that is recovered has to be analyzed to extract evidence l Evidence has to analyzed to determine what happened l Use log files and documentations to establish the timeline l Reconstruct the attack

Links l Data Recovery l Digital Evidence entations/IAW pdf entations/IAW pdf /pg_ /pg_1 - Presentations/DigitalEvidence.pdf Presentations/DigitalEvidence.pdf