Computer Forensics - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Computer Forensics

Description:

Image galleries. Sophisticated search capabilities. GREP subset, sound-alike, 'fuzzy-searches' ... Search warrant executed on the residence, computer seized, ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 37
Provided by: nce5
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics


1
Computer Forensics
  • Ryerson University
  • February 16, 2005
  • S/Sgt. Paul Poloz,
  • Royal Canadian Mounted Police

2
Current Posting
  • Integrated Cyber Intelligence Team
  • Technological Crime Branch
  • Technical Operations Directorate, HQ
  • Royal Canadian Mounted Police
  • Ottawa

3
Staff Sergeant Paul Poloz
  • Graduated from Ryerson in 1989.
  • Uniform and plainclothes work for 6 years on the
    west coast
  • French language training
  • Peacekeeping mission in Haiti
  • Technological Crime Branch
  • Eight years experience
  • Computer forensics, tech crime investigations
  • Secondment to Ottawa Police Service
  • Secondment to National Child Exploitation
    Investigation Coordination Centre

4
Staff Sergeant Paul Poloz
  • Declared expert witness in criminal court and
    testified numerous times.
  • Lecture at the Canadian Police College and other
    venues on computer forensics and tech crime
    investigations.
  • Recently completed a part-time MBA at University
    of Ottawa

5
Topics Covered
  • Definition of computer forensics
  • Brief history of computer forensics
  • Computer forensic methodology
  • Incident response
  • Location of evidence
  • Continuity
  • Statements
  • Tech crime investigations
  • Case study

6
Definition of Computer Forensics
  • Computer Forensics deals with the preservation,
    identification, extraction and documentation of
    computer evidence.
  • New Technologies Inc. (NTI) Website.
  • Usually performed for judicial process.
  • Criminal
  • Civil
  • CF usually performed on data at rest

7
History of Computer Forensics
  • PCs (introduction to late 1990s)
  • Intel CPU based PCs non-standard hardware and
    software
  • FAT file system
  • Forensics done on DOS platform despite Windows OS
  • In- house RCMP utilities to facilitate file
    residue analysis, hard disk lock, file listing,
    drive duplication.
  • Limited searching capabilities
  • Multiple disk images made of original during
    forensic process
  • Standalone forensics

8
History of Computer Forensics
  • Mainframes and Minis
  • Not much demand for forensics
  • Limited usage
  • Limited access
  • Forensics done on ad-hoc basis, computer experts
    tasked by police

9
History of Computer Forensics
  • Late 1990s saw the emergence of GUI based tools
  • Standardized hardware
  • Proliferation of file systems
  • Internet gaining in popularity
  • A variety of file systems processed under one
    platform
  • Many different vendors to choose from
  • The Internet, networking
  • Pieces of puzzle scattered

10
History of Computer Forensics
  • Image galleries
  • Sophisticated search capabilities
  • GREP subset, sound-alike, fuzzy-searches
  • Sorting, hashing (data reduction)
  • Report generation
  • Data (file system and residue) stored and
    accessed as files
  • Data authentication (embedded hashes)
  • Sophisticated Scripting Languages

11
CF Present State
  • New technology introduced at a rapid rate. Other
    technology gaining in popularity
  • LANs, wireless, RAID, SANs,
  • Remote storage technologies
  • OSs with default encrypted filesystems.
  • Huge storage capacities
  • Data reduction techniques
  • Multiprocessor architecture
  • Linguistic issues
  • unicode

12
Objectives
  • Ensure that not one bit of data on a hard disk is
    altered.
  • Imaging techniques
  • Analyze all of the data.
  • Problems with large data sets
  • Encryption
  • Present the findings tailored to the intended
    audience.
  • Unbiased
  • Many people involved in the judicial system have
    limited knowledge of I.T.

13
File Residue
  • Many file systems contain file residue
  • Example FAT deleted, hidden, bad clusters, file
    slack
  • Valuable evidence can be located
  • Wiping utilities prove to be problematic

14
Basic Forensic Process
  • Seize computer (may include on-site examination,
    write blocker?)
  • Remove hard disk from CPU chassis
  • Image acquisition
  • Analysis performed using image (unless for a
    quick triage)
  • Off-the-shelf products (SMART, Encase, FTK)
  • ILOOK
  • Linux
  • In-house utilities and solutions
  • Native O/S

15
Basic Forensic Process
  • Search for text (i.e. grep search)
  • Examine graphic images
  • Uncompress, undelete, decrypt, extract residue
  • Gather evidence
  • Create final report

16
Hazards of Using the Target O/S
  • A virus could destroy evidence.
  • Trojans/modified commands.
  • Dates associated to file may be altered.
  • File residue may be overwritten.
  • Altering evidence introduces doubt into the
    integrity of the data.

17
Tainting the process
  • Use of untrained personnel to perform the
    forensic examination.
  • Power-up the target computer.
  • Use the target computers operating system to
    open files and examine data.
  • Install software to the target hard disk.
  • Improper shut-down.
  • Continuity issues.
  • Data integrity issues

18
Case Study Number 1
  • Hacker investigation
  • Investigation in 2002 of a crime committed in
    1996.
  • Phf exploit committed by perpetrator. BSD Unix
    platforms, with ISPs as victims.
  • Gained access to password file (but not shadow
    password file).
  • Attempts were made to get pawwrod hashes.
  • Investigation involved seizing old BSD backup
    tapes from 3 locations.

19
Case Study Number 1
  • Forensics done on Linux platform
  • Use of special utilities to determine tape format
  • Search Internet for appropriate restore software
  • Evidence copied to CDROM then processed on Window
    platform.

20
Case Study Number 2 - Predator
  • IRC chat room.
  • Identify targets of local jurisdiction
  • Engage supect
  • Assess suspects culpability
  • Ascertain if offence is/ or will be commited.
  • Search warrant (dial-up account)
  • Set-up meeting and surveillance
  • Meet suspect and gather RPG to search residence.

21
Case Study Number 2 - Predator
  • Arrest suspect and hold in custody
  • Execute search warrant and seize exhibits
  • On-site examination for RPG and determine
    severity of offence (evidence for Show Cause).
  • Process suspect.
  • Forensic processing at lab

22
Cyber Crime Incident Response
  • What is an incident?
  • Computer as a target
  • Unauthorized access
  • Mischief to data
  • Port Scans?
  • Computer as a tool
  • Threats
  • Hate Crime
  • Child Pornography
  • Fraud, etc

23
Incident Response
  • Educate users to raise security awareness
  • Build a centralized incident reporting centre
  • Establish escalation procedures
  • Ensure that service-level agreements include
    provisions for security compliance
  • Decide in advance under what circumstances youd
    call the police
  • Establish communication procedures should this
    become a media event.

24
Incident Response
  • Is threat external or internal to company
  • Will event be reported to the police?
  • Your initial actions can make or break the case
  • Call police as soon as possible.
  • Lots of gray areas
  • Management may not want police involvement
  • Incident may be trivial
  • Incident may be civil

25
Incident Response
  • Detect incident
  • Analyze the incident
  • Contain or eradicate the problem
  • Provide workarounds or fixes
  • Prevent re-infection
  • Log events
  • Preserve evidence
  • Conduct post-mortem and apply lessons learned

CIO cyberthreat response reporting Guidelines
26
Incident Response
  • If management is undecided whether to involve
    police or not
  • Contain incident (take affected resources
    offline)
  • Observe and document machine state
  • Symptoms of incident
  • Unexplained processes
  • Etc

27
Incident Response
  • Preserve evidence
  • Log files, password file, other suspicious data
  • Original source (i.e. hard disk) is best evidence
    but copies often used.
  • Photograph or screen captures
  • Consider hashing of preserved files.
  • Gather evidence from those involved
  • Make detailed notes of everything you do
  • Write report so that non-technical personnel
    grasp the concepts, but be complete.

28
Documentation
  • Notes made at the time of the incident while it
    is occurring. Record your actions as youre doing
    them. The notes are for yourself but may be
    disclosable.
  • Statement transcribe notes. Describe your
    actions with respect to incident. Used to aid
    investigators, and to refresh your memory. Plain
    language in as much detail as possible.
  • Report comprehensive report of incident. May
    include information derived from other sources.

29
Evidence Handling
  • Continuity is paramount
  • Must be able to convince a judge that evidence is
    accurate and wasnt tampered with.
  • Locks and special lockers

30
Tech Crime Investigation
  • Distributed Denial Of Service case study.
  • Fictitious but entirely plausible
  • A Toronto based company with a web presence
    experiences server performance problems. Service
    degraded to the point where there is a loss of
    business.
  • Sys-admin reviews logs and notices large amounts
    of traffic from multiple IP addresses.
  • Police notified.
  • Several log entries show traffic coming from the
    same IP address.

31
Tech Crime Investigation
  • Several IP addresses are identified by sys-admin
    and police as being suspect.
  • Traceroute, whois, DNS look-up etc traces IP to
    an ISP in Calgary.
  • Police contact ISP and are given Vancouver as the
    geographical location of the subscriber.
  • Investigation continues with assistance of local
    police force. A search warrant for subscriber
    information is executed on the ISP.

32
Tech Crime Investigation
  • In compliance with the search warrant the
    subscribers name, address, credit card number,
    and usage history are given to police.
  • Surveillance and computer checks on the residence
    indicates that a man and woman reside there (Male
    subject is ISP subscriber).
  • Search warrant executed on the residence,
    computer seized, occupants questioned. Occupants
    deny involvement.
  • Forensics reveals Back Orifice Trojan on computer

33
Tech Crime Investigation
  • IP address responsible for Trojan is located.
  • Evidence linking the originator of the Trojan
    with DDOS is found.
  • IP address is administered by an ISP in Dallas.
  • FBI contacted and assist with a preservation
    order. FBI determines that suspect lives in
    Dallas.
  • MLAT request initiated by local authorities.
  • Subscriber details obtained via MLAT and given to
    Canadian authorities.

34
Tech Crime Investigation
  • FBI or Dallas Police assist by searching
    residence subject to MLAT request.
  • Interview of suspect, further investigation
  • Extradition request.

35
Additional resources
  • http//www.asrdata.com/SMART/
  • Linux based Forensic Software
  • http//www.forensics-intl.com/ev-info.html
  • NTI website good articles
  • http//www.dmares.com/maresware/linksto_forensic_t
    ools.htm
  • Mares Ware excellent links
  • http//www.accessdata.com/Product04_Overview.htm
  • Forensic Tool Kit (FTK) Windows platform
  • http//www.guidancesoftware.com
  • Encase Forensic Software Windows platform

36
Additional resources
  • www.linux-forensics.com
  • Information and links regarding Linux forensics
  • http//www.ojp.usdoj.gov/nij/sciencetech/publicati
    ons.htmpublicationcollections
  • First responders Guide
  • http//www.cio.com/research/security/incident_resp
    onse.pdf
  • Incident response guidelines
Write a Comment
User Comments (0)
About PowerShow.com