1. tan@atstake.com COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts

2. COMPUTER FORENSICS CAN BE MANY THINGS  Corporate or University internal investigation  FBI or (unlikely) Sheriff investigation  Computer Security Research  Post Mortem or Damage Assessment  Child Pornography  Fraud  Espionage & Treason  Corporate or University Policy Violation  Honey-pots Computer Forensics ultimately support or refute a case someone cares to make.

3. FORENSICS IS A FOUR STEP PROCESS  Acquisition  Identification  Evaluation  Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm, by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm

4. PRESENTATION – Starting at the End  Many findings will not be evaluated to be worthy of presentation as evidence.  Many findings will need to withstand rigorous examination by another expert witness.  The evaluator of evidence may be expected to defend their methods of handling the evidence being presented.  The Chain of Custody may be challenged.

5. EVALUATION – What the Lawyers Do  This is what lawyers (or those concerned with the case) do. Basically, determine relevance.  Presentation of findings is key in this phase.  Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems.

6. IDENTIFICATION – Technical Analysis  Physical Context  Logical Context  Presentation/Use Context  Opinion to support relevance of findings  Handling and labeling of objects submitted for forensic analysis is key.  Following a documented procedure is key.

7. FBI List of Computer Forensic Services  Content (what type of data)  Comparison (against known data)  Transaction (sequence)  Extraction (of data)  Deleted Data Files (recovery)  Format Conversion  Keyword Searching  Password (decryption)  Limited Source Code (analysis or compare)  Storage Media (many types)

8. THE EVIDENCE LOCKER  Restricted Access and Low Traffic, Camera Monitored Storage.  Video Surveillance & Long Play Video Recorders  Baggies for screws and label everything!  Sign In/Out for Chain of Custody

9. ACQUISITION – What Are the Goals?  Track or Observe a Live Intruder?  Assess Extent of Live Intrusion?  Preserve “Evidence” for Court?  Close the Holes and Evict the Unwanted Guest?  Support for Sheriff, State Police or FBI Arrest?  Support for Court Ordered Subpoena?

10. GROUND ZERO – WHAT TO DO  do not start looking through files  start a journal with the date and time, keep detailed notes  unplug the system from the network if possible  do not back the system up with dump or other backup utilities  if possible without rebooting, make two byte by byte copies of the physical disk  capture network info  capture process listings and open files  capture configuration information to disk and notes  collate mail, DNS and other network service logs to support host data  capture exhaustive external TCP and UDP port scans of the host  contact security department or CERT/management/police or FBI  if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented  short-term storage  packaging/labeling  shipping

11. ADDITIONAL RESOURCES  RCMP Article on the Forensic Process. http://www.rcmp- grc.gc.ca/tsb/pubs/bulletins/bull41_3.htmhttp://www.rcmp- grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm  Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html http://www.enteract.com/~lspitz/pubs.html  Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/http://www.fish.com/forensics/  The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htmhttp://www.ntobjectives.com/forensic.htm  Long Play Video Recorders. http://www.pimall.com/nais/vrec.htmlhttp://www.pimall.com/nais/vrec.html  FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm http://www.fbi.gov/programs/lab/handbook/intro.htm  Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.plhttp://sunsolve.sun.com/pub-cgi/fileFingerprints.pl  Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/security- improvement/implementations/i003.01.htmlhttp://www.cert.org/security- improvement/implementations/i003.01.html

12. Thank you … … very much, MIT!