Solving Computer Crime: An Introduction to Digital Forensics - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Solving Computer Crime: An Introduction to Digital Forensics

Description:

Devices include computers, PDAs, cellular phones, videogame consoles... uses Blowfish to. scramble the order of. embedded data, so. successful extraction is ... – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 31
Provided by: goldengric
Category:

less

Transcript and Presenter's Notes

Title: Solving Computer Crime: An Introduction to Digital Forensics


1
Solving Computer Crime An Introduction to
Digital Forensics
  • Golden G. Richard III, Ph.D.
  • Dept. of Computer Science
  • Gulf Coast Computer Forensics Laboratory (GCCFL)
  • golden_at_cs.uno.edu

2
Digital Forensics
  • Definition Tools and techniques to recover,
    preserve, and examine digital evidence on or
    transmitted by digital devices.
  • Devices include computers, PDAs, cellular phones,
    videogame consoles

3
Examples of Digital Evidence
  • Computers increasingly involved in criminal and
    corporate investigations
  • Digital evidence may play a supporting role or be
    the smoking gun
  • Email
  • Harassment or threats
  • Blackmail
  • Illegal transmission of internal corporate
    documents
  • Meeting points/times for drug deals
  • Suicide letters
  • Technical data for bomb making
  • Image or digital video files (esp., child
    pornography)
  • Evidence of inappropriate use of computer
    resources or attacks
  • Use of a machine as a spam email generator
  • Use of a machine to distribute illegally copied
    software

4
Major Issues
  • Identification of potential digital evidence
  • Where might the evidence be? Which devices did
    the suspect use?
  • Preservation of evidence
  • On the crime scene
  • First, stabilize evidenceprevent loss and
    contamination
  • If possible, make identical copies of evidence
    for examination
  • Careful extraction and examination of evidence
  • Presentation
  • The FAT was fubared, but using a hex editor I
    changed the first byte of directory entry 13 from
    0xEF to 0x08 to restore HITLIST.DOC
  • The suspect attempted to hide the Microsoft Word
    document HITLIST.DOC but I was able to recover
    it without tampering with the file contents.
  • Legal Investigatory needs meet privacy

5
Preservation of Evidence Hardly trivial
tickticktick
Just pull the plug? Move the mouse for a quick
peek? Tripwires
Volatile computing
Living room
6
Preservation Imaging
  • When making copies of media to be investigated,
    must prevent accidental modification or
    destruction of evidence!
  • Write blockers Use them. Always.
  • dd under Linux
  • DOS boot floppies
  • Proprietary imaging solutions

Drivelock write blocker
7
Extraction and Examination
  • Know where evidence can be found
  • Understand techniques used to hide or destroy
    digital data
  • Toolbox of techniques to discover hidden data and
    recover destroyed data
  • Cope with HUGE quantities of digital data
  • Ignore the irrelevant and target the relevant

8
Wheres the evidence?
  • Undeleted files, expect some names to be
    incorrect
  • Deleted files
  • Windows registry
  • Print spool files
  • Hibernation files
  • Temp files (all those .TMP files!)
  • Slack space
  • Swap files
  • Browser caches
  • Alternate partitions
  • On a variety of removable media (floppies, ZIP,
    Jazz, tapes, )

9
Fallacy vs. Fact in Digital Forensics
  • Many digital forensics tools and techniques are
    quite complex
  • Very difficult to cover in a short lecture
  • To illustrate investigative procedures for
    digital forensics, a fact vs. fallacy approach
  • Fallacy User attempting to hide evidence
    believes one thing
  • Fact But in fact
  • Look at a few fact vs. fallacy scenarios
  • Then, one more advanced topic

10
Fallacy File was deleted, its gone!
  • Users often mistake normal deletion of files for
    secure deletion
  • Deleted files recoverable using forensics tools
  • Why?
  • Filesystem makes a small change in its
    bookkeeping info to mark a file as deleted
  • Data associated with file is NOT erased
  • Example FAT32 (Windows), first character of
    filename is changed to 0xEF in directory entry to
    delete file
  • Forensics software changes one character in
    directory entry, file reappears
  • To prevent recovery, must perform secure
    overwrite of the file or physically destroy the
    media

11
Fallacy I renamed the file, Im safe!
  • childporn.jpg ? winword.exe
  • Renaming files is an ineffective defense against
    digital forensics investigation
  • Technique 1
  • Most file types (e.g., JPEG image) have a
    structure that can be recognized directly,
    regardless of the filename a user chooses
  • e.g., JPEG files contain 0x4a464946 or 0x45786966
    in the first block of the file
  • Technique 2
  • Cryptographic hashing provides a mechanism for
    fingerprinting files
  • File contents is matched quickly, regardless of
    name
  • Hashes equivalent, file contents equivalent
  • Think fingerprints dont care about hair color

12
Aside Hashing
  • Typical algorithms SHA-1, MD5
  • Example
  • Cgt md5sum golden.jpg
  • b28f08b004a7251a418e089ef3bb7409 golden.jpg
  • Cgt rename golden.jpg winword.exe
  • Cgt md5sum winword.exe
  • b28f08b004a7251a418e089ef3bb7409 winword.exe
  • Can automate checking of hashes
  • Huge dictionaries exist with hashes for known
    files http//www.nsrl.nist.gov/index/prodname.ind
    ex.txt
  • and known child pornography files
  • Can quickly disregard known files and target the
    interesting stuff

13
Fallacy I format-ed the drive, whew!
  • Formatting a drive does not prevent recovery of
    digital evidence
  • In fact, format typically overwrites less than 1
    of drive contents
  • Why does it take so long? Format is reading disk
    blocks to determine if bad blocks exist
  • Format wipes out directories, so names of files
    are lost
  • A lot of the data can still be recovered by
    sifting through data that remains after the
    format operation
  • For example, file carving tools reconstruct files
    by examining the initial and terminal bytes of
    the file
  • See digital forensics Technique 1 under file
    renaming fallacy

14
Fallacy Media mutilation Miller time!
  • Example 1 Cutting a floppy into pieces
  • Example 2 Opening a hard drive, removing the
    platters, throwing them into the trash
  • Unless the damage is extreme, mutilation of
    magnetic media is insufficient to prevent
    recovery
  • Media can be reassembled and partial recovery
    performed
  • Even strong magnetic fields are insufficient
  • Older military grade degausser for erasing hard
    drives was so strong that it bent the platters
    inside the drive
  • Your bulk tape eraser isnt going to do the job
  • To destroy data multiple overwrites (software)
    or complete destruction of hardware

15
Thats One Big Degausser!
16
Fallacy I used Web-based email
  • Fallacy Use of web-based email rather than
    storing email messages directly on a computer is
    safer (in terms of thwarting recovery attempts)
  • Its not. Even if you never download the email
    and immediately delete all messages on the
    server!
  • Recently viewed web pages are stored in web
    browsers cache
  • Cache is often in a hard-to-find place
  • Internet Explorer ? Tools ? Internet Options ?
    Delete Files clears the cache in IE
  • See slide on recovery of deleted files for
    futility quotient
  • Files stored in browser cache are not securely
    deleted when the cache is cleared
  • Browser cache mining tools bring recently viewed
    web pages, including web-based email messages,
    back to life in a flash

17
Recovery of web-based emails
18
Fallacy Application uninstalls are easy
  • Illegal application installed
  • Fear ensues
  • Application is uninstalled (Am I safe?)
  • application files can still be undeleted,
    proving application was installed
  • Further steps to obscure installation Securely
    overwrite application files
  • Now am I safe?
  • Nope.
  • Remnants of installation can likely still be
    found in the Windows registry
  • Basically, if a user installs software and wants
    to permanently eradicate any traces, must
    securely erase the entire drive or destroy the
    hardware

19
Fallacy I encrypted my files
  • On encrypted file systems, if file is ever
    printed and spool directory isnt encrypted,
    fragments may be left behind
  • On some systems (e.g., Windows 2000), a recovery
    agent is able to read all encrypted files
  • For Windows 2000, this is the administrator
    account, thus just need to break administrator
    password
  • Problem keys for truly secure encryption
    schemes are long
  • Search for slips of paper
  • Search for unencrypted password lists
  • Search PDAs, phones, and organizers for passwords
    and encryption keys
  • Software or hardware keystroke loggers
  • Van Eck radiation
  • If the file cant be decrypted, the name of the
    file may still be useful in prosecution

20
Beowulf, Slayer of Poorly Chosen Passwords
How good are your passwords?
21
Steganography
  • Techniques for hiding information within other
    information
  • Historical
  • Tattoos
  • Text on wood under wax layer on a wax tablet
  • Invisible ink (e.g., writing with lemon juice)
  • Modern
  • Much more sophisticated
  • Employ powerful encryption techniques
  • Hide documents w/in an image, video, or audio
    file
  • Hidden documents can be harmless, or child
    pornography, bomb plans,

22
Stego (2)
23
Stego (3)
24
Stego (4)
Statistical analysis by stegdetect
guesses correctly that something is hidden. But
jphide uses Blowfish to scramble the order of
embedded data, so successful extraction is very
unlikely unless the password is known.
Slipped inside the 2nd cactus picture by
jphide
Embedding in this case is not obvious
(visually)and image w/ embedded Golden is
actually smaller (in bytes) than original
25
Stego (5)
Igniter
Core
This bomb diagram, however, is not detected
inside the cactus picture
26
Bluepipe On the Spot Digital Forensics
27
Legal Issues
  • Investigative needs vs. the right to privacy
  • Search warrant laws, e.g., Fourth Amendment to
    the U.S. Constitution
  • Wiretap laws
  • Chain of custody
  • Admissibility of evidence in court Daubert
  • Essentially
  • Has theory or technique in question been tested?
  • Is error rate known?
  • Widespread acceptance within a relevant
    scientific community?
  • Patriot Act
  • Greatly expands governmental powers in terms of
    searching, wiretap w/o prior notification

28
The Other Side Privacy
  • Weve concentrated on the cool technology, but
  • The existence of sophisticated digital forensics
    techniques is a great enabler for fascism
  • Actively fight laws that dont appropriately
    balance privacy with need for investigation
  • Secure file deletion software
  • Overwriting files with zeros is good enough
    unless a tunneling electron microscope is
    available
  • Volatile computing
  • Physical destruction of media
  • Grind the media into powder
  • Vats of acid or molten steel

29
Resources
  • Books
  • Digital Evidence and Computer Crime (E. Casey,
    Academic Press)
  • Computer Forensics and Privacy (M. Caloyannides,
    Artech House)
  • Websites
  • http//www.dfrws.org
  • Lots of references related to digital forensics,
    including a link to an interesting e-journal
  • http//www.ijde.org/ (International Journal of
    Digital Evidence)
  • http//vip.poly.edu/kulesh/forensics/list.htm
  • tons of stuff, including a bunch of online papers
  • http//www.tucofs.com/tucofs/tucofs.asp?modemainm
    enu
  • Huge collection of forensics-related software
  • Commercial digital forensics software
  • Encase
  • FTK (Forensics Tool Kit)
  • ILook (law enforcement only)
  • WinHex

30
Presentation available
?
  • http//www.cs.uno.edu/golden/teach.html
  • golden_at_cs.uno.edu
  • Office Math 346
Write a Comment
User Comments (0)
About PowerShow.com