1. Computer Forensics Peter Caggiano

2. Outline My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How to enter the field Questions?

3. Background Stockton College BS Computer Science Minor in Mathematics The George Washington University MS Computer Science Concentrations: Information Assurance Computer Forensics

4. Work Experience PG Lewis & Associates Corporate Forensics and Data Recovery Department of State Computer Investigations and Forensics Nuclear Regulatory Commission Office of the Inspector General

5. Computer Forensics Computer forensics is the discipline of acquiring, preserving, identifying and examining digital media The application of computer science and mathematics to the reliable and unbiased collection, analysis, interpretation and presentation of digital evidence.

6. What Is Computer Forensics? Is often more of an art, than a science. Follows clear, well-defined methodologies. Uses the same basic techniques as other forensics areas.

7. What Forensics Can Do High tech investigations Incident response Email recovery and analysis Document and file discovery Data collecting While still preserving MAC times Other volatile data

8. What Forensics Can Do Uncover and document evidence and leads Corroborate other evidence Assist in showing patterns of events Connect computers and people Reveal an end-to-end path of events leading to a compromise attempt, successful or not Extract data that may be hidden, deleted or otherwise not directly available

9. What Forensics Can’t Do Create evidence Tie the suspect to the incident Only system or profile Prove innocence or guilt Be instantaneous

10. Goals Details of investigation will depend on the circumstances and goals, but the steps are always the same. Goals: Support Law Enforcement To determine the root case of an event to prevent re- occurrence Re-construct the series of events surrounding the incident Assist in more types of investigations than just digital

11. Evidence All forms of digital media Hard drives CD’s Floppy disks USB drives Flash memory Tape drives Cameras Etc.

12. Evidence Categories Beyond Hard Drives Logs Managing devices Hosts/systems Servers Interviews Involved personnel Business and technical managers Device configuration files Network maps Event observation timelines Notes Meetings Passwords Response team notes and observations

13. Types of Forensics Traditional vs. Incident Response

14. Basic Methodology Identification Preparation Approach strategy Preservation Collection Examination Analysis Presentation Returning evidence

15. Traditional Forensics Referred to as ‘Dead’ Forensics Analysis done in a ‘Post Mortem’ state After the system has lost power Two basic rules Harm Nothing Preserve Everything

16. Harm Nothing Writeblocker (Hardware, Firmware, Software) Preserves the integrity of the original evidence Work of a ‘Forensic Image’ of original evidence, never original evidence Don’t handle original evidence longer than it needs to be

17. Forensic Image An exact, bit by bit copy of a piece of media without altering the original data. Includes slack space, unallocated, and hidden partitions. Preserves MAC times An exact “snapshot” of the hard drive at that given time

18. Writeblockers Hardware Only true hardware writeblocker is the Floppy tab Firmware Intermediate device between the evidence and the system Intercepts the write signal from the system and prevents any alteration of data Software Secure Linux environment Connecting file systems as ‘Read Only’ to the system HFS partition connected to a Windows system

19. Preserve Everything Contact system administrators Data can be on remote servers Image entire disks not just volumes Physical vs. Logical layer Image all peripheral media

20. Common tools MacForensicsLab FTK EnCase iLook Pro Discover Many specialized tools

21. Incident Response Also known as Live Forensics Growing field because of the expanding roll of networks Vital to preserve volatile data Unlike Traditional Forensics, original evidence must be altered To retrieve needed data, must use the system in question

22. What Incident Response Can Do Show a path that the intruder took over the network Reveal intermediate intrusions Preserve data that would be lost during Tradition Forensic Investigations Create leads to expand investigation

23. What Incident Response Can’t Do Solve the case alone Traditional Forensics is still needed Tie the suspect to the attack Only system Create data that is not present

24. Collecting the evidence Information gathering Volatile memory and configurations Enumerating Files or ambient data Compromised system Attack system Log entries in intermediate devices

25. What to look for Footprinting Files or ambient data on attack computer and log entries in intermediate devices Probing for weaknesses Files or ambient data on attack computer Log entries Intermediate devices Compromised system

26. Tools Mostly open source tools Helix Live Linux environment and response suite Backtrack Network mapping and penetration (if needed) Custom batch and script files

27. Big Picture Use all the data collected to tie all the events together in support of the overall investigation.

28. Future Problems Large data sets Steganography Cell phones PDA’s Encryption

29. How to enter the field Law Enforcement Mostly point and click Don’t always understand the technical side Technical Don’t understand the entire scope of the investigation Understands the ‘behind the scene’ actions of the tools

30. Forensic Analyst Requires Knowledge of Computer Hardware and Software Operating Systems File Systems Special “Forensics” Hardware and Software Networks General technical support

31. Preparation from Stockton Technical support Programming Computer security basics Analytical approach Networks Sound fundamentals

32. Preparation from GW SFS Scholarship Hands on forensic practical In-depth computer security Network security practices Hacking

33. SFS Scholarship www.sfs.opm.gov Roughly 15 schools nationwide Pay for up to 2 years of school Pay you to go to school NSA Center of Excellence Concentrate in all areas of computer security Not all centers are scholarship schools In return: 1 to 1 Years of education to government employment

34. Questions?

35. Contact Information Peter Caggiano 908.581.3630 caggiano.pa@gmail.com