Forensic Computer Analysis

1
Forensic Computer Analysis

• Donald A. Smith MCSE, CNE, CCNA, A
• Roger J. Bolhouse, MBA

2
Computer Forensics Overview

• What is Computer Forensics?
• When do you need this type of examination
• Understanding procedures for protection of
  suspect hard drives
• Procedures for cloning and examining a Hard Drive
• Computer Forensic Software
• Limitation and other considerations regarding
  Computer Forensics

3
Computer Forensics Overview

• Common Computer Forensic Requests?
• Deleted Files
• Deletion Process
• E-Mail History
• Internet History
• Concealed, Altered or Hidden Files
• Disguised extensions
• Stenography
• Much more

4
Windows File Systems-File Deletion

• When a user deletes a file the clusters the file
  occupied in the FAT table are marked available
  for use
• The actual data that occupied those clusters is
  still on the hard drive
• The data remains on the hard drive until the
  clusters where it existed are overwritten by
  another file

5
Protection of Data

• When you feel a computer may house important
  data
• Turn off and disconnect the computer(s)
• Identify potential computer(s) involved-Network?
• Place in secured restricted environment
• Create a forensic clone ASAP
• On-site or bring to laboratory
• Maintain a chain of custody

6
Collection PreservationAcquisition Process

• Acquire evidence
• Access original hard drive-acquire using write
  blocker
• Save evidence on sterilized media
• Digitally sign evidence (MD5 hash checksum of
  evidence, time person)

7
Evidence

• Original Evidence FRE Rule 1001
• Subsection (3) An original of a writing or
  recording is the writing or recording itself or
  any counterpart intended to have the same effect
  by a person executing or issuing it. An
  original of a photograph includes the
  negative or any print therefrom. If data are
  stored in a computer or similar device, any
  printout or other output readable by sight, shown
  to reflect the data accurately, is an
  original.

8
Evidence

• Duplicate Evidence FRE Rule 1001
• Subsection (4) A duplicate is a counterpart
  produced by the same impression as the original,
  or from the same matrix, or by means of
  photography, including enlargements and
  miniatures, or by mechanical or electronic
  re-recording, or by chemical reproduction, or by
  other equivalent techniques which accurately
  reproduces the original.

9
Evidence

• Admissibility of Duplicate Evidence
• FRE Rule 1003
• A duplicate is admissible to the same extent as
  an original unless (1) a genuine question is
  raised as to the authenticity of the original or
  (2) in the circumstances it would be unfair to
  admit the duplicate in lieu of the original.

10
Collection PreservationAcquisition Process

• Imaging-cloning done with write protection.
• All operating systems modify files as a computer
  is booted or shutdown
• DOS boot disks
• Hardware write protectors such as Digital
  Intelligence's Firefly or Encase Fast Bloc

11
Collection PreservationAcquisition Process

• Bit by Bit copy of the of the hard disk-written
  to forensic media in the same order copied
• Verified by an MD5 hash value to insure the
  integrity of the image
• MD5 sum(128 bit number) akin to a digital
  fingerprint of a file.
• It is unlikely that two files will have the exact
  same MD5 Hash(there is a 2128th chance that two
  files will ever have the same hash value)

12
Collection PreservationAcquisition Process

• Document everything
• acquisition verification process
• who, where, how, when, and sometimes why
• Retain originalif possible
• Sometimes not practical

13
Basic Searches

• Basic searches
• Searches can be made using keywords or phrases of
  interest provided by the client
• Graphics
• Files of specific extensions such as a Word
  Document(.doc)

14
Advanced Searches

• Extracting e-mail/chat.
• Finding Internet history
• Searching for and interpreting log files
• Metadata and hexadecimal
• Hash value searches

15
Computer Forensic Software

• Encase
• FTK-AccessData
• Paraben
• Nti
• More
• Non-forensicNorton Ghost
• Allows imaging only

16
Date Time Stamps

• MAC times
• Date created is the date/time the file was
  created on the current volume
• Date modified is the date the file was last
  modified
• Date last accessed is the date the file was last
  accessed(Windows 9x)

17
EnCase Timeline (patterns)
18
Windows Artifacts-Recycle Bin

• Recycle Bin
• Can determine when sequence of file deletion
• Creates INFO file which can give full path to
  deleted file and give deletion details
• Even if Recycle Bin is emptied-INFO can be
  retrieved-if not overwritten

19
Windows Artifacts-Shortcut Files

• Shortcut(.lnk) files are created in the
  Windows\Desktop, Windows\Recent and Windows\Send
  To folders
• Windows\desktop contains shortcuts that give
  indications of how a user configured his/her
  desktop
• The files refer to applications, data files or
  printers and external drives
• Shortcuts on the desktop can support the
  suspicion that a user had knowledge of a
  particular file or application on the computer

20
Windows Artifacts-Printing

• Windows creates several files during printing- a
  temporary EMF(enhanced metafile), a .SHD
  file(shadow file) and a .SPL(spool file)file.
• These temporary files are created for removable
  and non removable media and are deleted after
  printing completes

21
Windows Artifacts-Printing

• The EMF files are an image of the printing job
• The .SHD contains information about the print job
  including the owner, the printer, the name of the
  file printed and the printing method
• The .SPL file contains the name of the file
  printed, the method of printing and a list of
  files that contain the data to be printed

22
(No Transcript)
23
Logs

• No unusual logons in Security Event Logs
• IIS logs from before security patch installation
• Shows compromise via Web server
• Anti-Virus messages in Application Event Logs
• 1/19/2002,10911 AM,1,0,5,Norton AntiVirus,N/A,
  CONTROL, Virus Found!Virus name BO2K.Trojan
  Variant in File C\WINNT\Java\w.exe by
  Scheduled scan. Action Clean failed
  Quarantine succeeded Virus Found!Virus
  name BO2K.Trojan Variant in File
  C\WINNT\system32\wlogin.exe by Scheduled scan.
  Action Clean failed Quarantine failed
• 1/19/2002,10911 AM,4,0,2,Norton AntiVirus,N/A,
  CONTROL, Scan Complete Viruses2
  Infected2 Scanned62093 Files/Folders/Drives
  Omitted89

24
SMART Case View
25
SMART Main Screen
26
FTK E-mail Extraction
27
Password Recovery Toolkit

• PRTK Combinations permutations
• Import FTK keyword list
• Missed obvious combinations

28
Evidence on Networks

• Associating Online Activity with Logs
• Server logs
• E-mail server logs
• Web server logs

29
Network Assessment

• Accessible from the Internet
• No dial-up access
• Many services enabled
• file sharing
• Internet Information Server
• FTP (anonymous FTP disabled)
• IIS fully patched

30
Network Artifacts

• Downloaded files
• Interactive connections
• Telnet Lastmachine (registry)
• Secure CRT .ini
• Secure Shell
• Unix directory listing on Windows PC
• Web, e-mail, Usenet, IRC, etc.
• IIS Transactions
• pagefile.sys
• Mapped network drives
• NetHood (profile, MFT, registry, unallocated)

31
Network Artifacts (Telnet)

• Telnet registry