Computer Forensics Peter Caggiano
Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How to enter the field Questions?
Background Stockton College BS Computer Science Minor in Mathematics The George Washington University MS Computer Science Concentrations: Information Assurance Computer Forensics
Work Experience PG Lewis & Associates Corporate Forensics and Data Recovery Department of State Computer Investigations and Forensics Nuclear Regulatory Commission Office of the Inspector General
Computer Forensics Computer forensics is the discipline of acquiring, preserving, identifying and examining digital media The application of computer science and mathematics to the reliable and unbiased collection, analysis, interpretation and presentation of digital evidence.
What Is Computer Forensics? Is often more of an art, than a science. Follows clear, well-defined methodologies. Uses the same basic techniques as other forensics areas.
What Forensics Can Do High tech investigations Incident response recovery and analysis Document and file discovery Data collecting While still preserving MAC times Other volatile data
What Forensics Can Do Uncover and document evidence and leads Corroborate other evidence Assist in showing patterns of events Connect computers and people Reveal an end-to-end path of events leading to a compromise attempt, successful or not Extract data that may be hidden, deleted or otherwise not directly available
What Forensics Can’t Do Create evidence Tie the suspect to the incident Only system or profile Prove innocence or guilt Be instantaneous
Goals Details of investigation will depend on the circumstances and goals, but the steps are always the same. Goals: Support Law Enforcement To determine the root case of an event to prevent re- occurrence Re-construct the series of events surrounding the incident Assist in more types of investigations than just digital
Evidence All forms of digital media Hard drives CD’s Floppy disks USB drives Flash memory Tape drives Cameras Etc.
Evidence Categories Beyond Hard Drives Logs Managing devices Hosts/systems Servers Interviews Involved personnel Business and technical managers Device configuration files Network maps Event observation timelines Notes Meetings Passwords Response team notes and observations
Types of Forensics Traditional vs. Incident Response
Basic Methodology Identification Preparation Approach strategy Preservation Collection Examination Analysis Presentation Returning evidence
Traditional Forensics Referred to as ‘Dead’ Forensics Analysis done in a ‘Post Mortem’ state After the system has lost power Two basic rules Harm Nothing Preserve Everything
Harm Nothing Writeblocker (Hardware, Firmware, Software) Preserves the integrity of the original evidence Work of a ‘Forensic Image’ of original evidence, never original evidence Don’t handle original evidence longer than it needs to be
Forensic Image An exact, bit by bit copy of a piece of media without altering the original data. Includes slack space, unallocated, and hidden partitions. Preserves MAC times An exact “snapshot” of the hard drive at that given time
Writeblockers Hardware Only true hardware writeblocker is the Floppy tab Firmware Intermediate device between the evidence and the system Intercepts the write signal from the system and prevents any alteration of data Software Secure Linux environment Connecting file systems as ‘Read Only’ to the system HFS partition connected to a Windows system
Preserve Everything Contact system administrators Data can be on remote servers Image entire disks not just volumes Physical vs. Logical layer Image all peripheral media
Common tools MacForensicsLab FTK EnCase iLook Pro Discover Many specialized tools
Incident Response Also known as Live Forensics Growing field because of the expanding roll of networks Vital to preserve volatile data Unlike Traditional Forensics, original evidence must be altered To retrieve needed data, must use the system in question
What Incident Response Can Do Show a path that the intruder took over the network Reveal intermediate intrusions Preserve data that would be lost during Tradition Forensic Investigations Create leads to expand investigation
What Incident Response Can’t Do Solve the case alone Traditional Forensics is still needed Tie the suspect to the attack Only system Create data that is not present
Collecting the evidence Information gathering Volatile memory and configurations Enumerating Files or ambient data Compromised system Attack system Log entries in intermediate devices
What to look for Footprinting Files or ambient data on attack computer and log entries in intermediate devices Probing for weaknesses Files or ambient data on attack computer Log entries Intermediate devices Compromised system
Tools Mostly open source tools Helix Live Linux environment and response suite Backtrack Network mapping and penetration (if needed) Custom batch and script files
Big Picture Use all the data collected to tie all the events together in support of the overall investigation.
Future Problems Large data sets Steganography Cell phones PDA’s Encryption
How to enter the field Law Enforcement Mostly point and click Don’t always understand the technical side Technical Don’t understand the entire scope of the investigation Understands the ‘behind the scene’ actions of the tools
Forensic Analyst Requires Knowledge of Computer Hardware and Software Operating Systems File Systems Special “Forensics” Hardware and Software Networks General technical support
Preparation from Stockton Technical support Programming Computer security basics Analytical approach Networks Sound fundamentals
Preparation from GW SFS Scholarship Hands on forensic practical In-depth computer security Network security practices Hacking
SFS Scholarship Roughly 15 schools nationwide Pay for up to 2 years of school Pay you to go to school NSA Center of Excellence Concentrate in all areas of computer security Not all centers are scholarship schools In return: 1 to 1 Years of education to government employment
Questions?
Contact Information Peter Caggiano