1/13/13
1
Auburn University Digital Forensics 1 www.eng.auburn.edu/users/hamilton/security/
Introduction to Digital Forensics/ A Criminologist’s View of Digital
Forensics Lesson 2
Reference: Scott L. Ksander Purdue University
Reference: Jau-Hwang Wang
Central Police University Tao-Yuan, Taiwan
Auburn University Digital Forensics 2 www.eng.auburn.edu/users/hamilton/security/
Computer People are from Mars
Law Enforcement is from Venus
--Scott L. Ksander
Auburn University Digital Forensics 3 www.eng.auburn.edu/users/hamilton/security/
Advantage of Computer People
• Natural curiosity • “Obsessed” with detail • Problem/puzzle solving in their profession/
passion • Intuitive thinkers • Look for “creative” solutions
Auburn University Digital Forensics 4 www.eng.auburn.edu/users/hamilton/security/
Advantage of Law Enforcement
• Trained investigators • Interviewing skills and creativity • Fact-finding is their life • Understanding the criminal psyche • Access to additional resources • Can tie things to other incidents • Broad data collection reach
Auburn University Digital Forensics 5 www.eng.auburn.edu/users/hamilton/security/ Scott L. Ksander
Auburn University Digital Forensics 6 www.eng.auburn.edu/users/hamilton/security/ Scott L. Ksander
1/13/13
2
Auburn University Digital Forensics 7 www.eng.auburn.edu/users/hamilton/security/ October 25
| Slide 7 Scott L. Ksander
Auburn University Digital Forensics 8 www.eng.auburn.edu/users/hamilton/security/ Scott L. Ksander
Auburn University Digital Forensics 9 www.eng.auburn.edu/users/hamilton/security/ Scott L. Ksander
Auburn University Digital Forensics 10 www.eng.auburn.edu/users/hamilton/security/
Forensic Field kits • Documentation Tools
– Cable tags. – Indelible felt tip markers. – Stick-on labels.
• Disassembly and Removal Tools – A variety of nonmagnetic sizes and types of: – Flat-blade and Philips-type screwdrivers. – Anti-static Straps – Hex-nut drivers. – Needle-nose pliers. – Secure-bit drivers. – Small tweezers. – Specialized screwdrivers (manufacturer-specific, e.g.,
Compaq, – Macintosh). – Standard pliers. – Star-type nut drivers. – Wire cutters.
Auburn University Digital Forensics 11 www.eng.auburn.edu/users/hamilton/security/
Forensic Field kits
• Package and Transport Supplies – Antistatic bags. – Antistatic bubble wrap. – Cable ties. – Evidence bags. – Evidence tape. – Packing materials (avoid materials that
can produce static such as Styrofoam or Styrofoam peanuts).
– Packing tape. – Sturdy boxes of various sizes.
Auburn University Digital Forensics 12 www.eng.auburn.edu/users/hamilton/security/
Forensic Field kits
• Items that also should be included within a kit are: – Rubber Gloves**** – Hand truck. – Large rubber bands. – List of contact telephone numbers for assistance. – Magnifying glass. – Printer paper. – Seizure disk. – Small flashlight. – Unused removable media (CD, DVD, etc) – Blank & Zeroed Hard Drives
1/13/13
3
Auburn University Digital Forensics 13 www.eng.auburn.edu/users/hamilton/security/ Scott L. Ksander
Auburn University Digital Forensics 14 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 15 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 16 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 17 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 18 www.eng.auburn.edu/users/hamilton/security/
1/13/13
4
Auburn University Digital Forensics 19 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 20 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 21 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 22 www.eng.auburn.edu/users/hamilton/security/ October 25
| Slide 22 Scott L. Ksander
Auburn University Digital Forensics 23 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 24 www.eng.auburn.edu/users/hamilton/security/ October 25
| Slide 24 Scott L. Ksander
1/13/13
5
Auburn University Digital Forensics 25 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 26 www.eng.auburn.edu/users/hamilton/security/ October 25
| Slide 26 Scott L. Ksander
Auburn University Digital Forensics 27 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 28 www.eng.auburn.edu/users/hamilton/security/
Auburn University Digital Forensics 29 www.eng.auburn.edu/users/hamilton/security/
Software Toolkit
• Directory Snoop (http://www.briggsoft.com) • ThumbsPlus (http://www.cerious.com) • WinHex (http://www.winhex.com) • Mount Image (http://www.mountimage.com)
• Autopsy Forensic Browser • FTK
Auburn University Digital Forensics 30 www.eng.auburn.edu/users/hamilton/security/
Just saying “Hi” “Thought you
might be interested”
Notify potential victims
1/13/13
6
Auburn University Digital Forensics 31 www.eng.auburn.edu/users/hamilton/security/
18 USC 2703(f) “Preservation
letter” Preserve for 90
days ONLY
retrospectively
Auburn University Digital Forensics 32 www.eng.auburn.edu/users/hamilton/security/
18 USC 2703(f) “… without
notice … nor … any disruption in service”
Auburn University Digital Forensics 33 www.eng.auburn.edu/users/hamilton/security/
Subpoena often follows “… requested
not to disclose the existence of this subpoena”
Auburn University Digital Forensics 34 www.eng.auburn.edu/users/hamilton/security/
Subpoena “Provide all
records, documents, logs, and subscriber information”
Auburn University Digital Forensics 35 www.eng.auburn.edu/users/hamilton/security/
Search Warrant Sometimes “Sealed”
Auburn University Digital Forensics 36 www.eng.auburn.edu/users/hamilton/security/
Operational plan for Search Warrants “No warning
shots.”
1/13/13
7
Auburn University Digital Forensics 37 www.eng.auburn.edu/users/hamilton/security/
Challenges
• NIJ 2001 Study • There is near-term window of opportunity for
law enforcement to gain a foothold in containing electronic crimes.
• Most State and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime.
• Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.
Auburn University Digital Forensics 38 www.eng.auburn.edu/users/hamilton/security/
General Challenges • Computer forensics is in its infancy • Different from other forensic sciences as
the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector
• No real basic theoretical background upon which to conduct empirical hypothesis testing
• No true professional designations • Proper training • At least 3 different “communities” with
different demands • Still more of a “folk art” than a true
science
Auburn University Digital Forensics 39 www.eng.auburn.edu/users/hamilton/security/
Specific Challenges
• No International Definitions of Computer Crime • No International agreements on extraditions • Multitude of OS platforms and filesystems • Incredibly large storage capacity
– 100 Gig Plus – Terabytes – SANs
• Small footprint storage devices – Compact flash – Memory sticks – Thumb drives – Secure digital
• Networked environments • RAID systems • Grid computing • Embedded processors
Auburn University Digital Forensics 40 www.eng.auburn.edu/users/hamilton/security/
Specific Challenges
• Where is the “crime scene?”
Perpetrator’s
System Victim’s
System
Electronic Crime
Scene
Cyberspace
Auburn University Digital Forensics 41 www.eng.auburn.edu/users/hamilton/security/
General Defense Strategies
• Not Me Defense (aka SODDI, TODDI) – Some Other Dude Did It – The Other Dude Did It
• Mind-Numbing Detail Defense • Indict the Examiner Defense
(aka Dennis Fung Defense)
Auburn University Digital Forensics 42 www.eng.auburn.edu/users/hamilton/security/
Where Evidence Resides
• Computer systems – Logical file system
• File system – Files, directories and folders, FAT, Clusters, Partitions,
Sectors • Random Access memory • Physical storage media
– magnetic force microscopy can be used to recover data from overwritten area.
– Slack space • space allocated to file but not actually used due to
internal fragmentation. – Unallocated space
1/13/13
8
Auburn University Digital Forensics 43 www.eng.auburn.edu/users/hamilton/security/
Where Evidence Resides (continued)
• Computer networks. – Application Layer – Transportation Layer – Network Layer – Data Link Layer
Auburn University Digital Forensics 44 www.eng.auburn.edu/users/hamilton/security/
Evidence on Application Layer
• Web pages, Online documents. • E-Mail messages. • News group archives. • Archive files. • Chat room archives. • …
Auburn University Digital Forensics 45 www.eng.auburn.edu/users/hamilton/security/
Evidence on Transport and Network Layers
Auburn University Digital Forensics 46 www.eng.auburn.edu/users/hamilton/security/
Evidence on the Data-link & Physical Layers
Auburn University Digital Forensics 47 www.eng.auburn.edu/users/hamilton/security/
Challenges of Computer Forensics • A microcomputer may have 60-GB or more storage
capacity. (More like 2 TB today) • There are more than 2.2 billion messages expected to
be sent and received (in US) per day. • There are more than 3 billion indexed Web pages
world wide. • There are more than 550 billion documents on line. • Exabytes of data are stored on tape or hard drives.
– (Source: Marcella, Albert, et al, Cyber Forensic, 2002.)
Auburn University Digital Forensics 48 www.eng.auburn.edu/users/hamilton/security/
Challenges of Computer Forensics (continued)
• How to collect the specific, probative, and case-related information from very large groups of files? – Link analysis – Visualization
• Enabling techniques for lead discovery from very large groups of files: – Text mining – Data mining – Intelligent information retrieval
1/13/13
9
Auburn University Digital Forensics 49 www.eng.auburn.edu/users/hamilton/security/
Challenges of Computer Forensics (continued)
• Computer forensics must also adapt quickly to new products and innovations with valid and reliable examination and analysis techniques.
Auburn University Digital Forensics 50 www.eng.auburn.edu/users/hamilton/security/
Cybertrail and Crime Scene
crime
scene
Cybertrail
network evidence
Auburn University Digital Forensics 51 www.eng.auburn.edu/users/hamilton/security/
Cyberwar or Information Warfare
• Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries. (Ivan K. Goldberg)
Auburn University Digital Forensics 52 www.eng.auburn.edu/users/hamilton/security/
Slack Space
Old file Old New file
Auburn University Digital Forensics 53 www.eng.auburn.edu/users/hamilton/security/
Evidence Recovery from RAMs on modern Unix systems
Auburn University Digital Forensics 54 www.eng.auburn.edu/users/hamilton/security/
References • National Hi-Tech Crime Unit (UK)
– The ACPO Good Practice Guide for Computer based Electronic Evidence (2003)
– http://www.nhtcu.org • DOJ - CCIPS
– Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
– http://www.cybercrime.gov/s%smanual2002.htm • NIJ Guide
– Electronic Crime Scene Investigation: A Guide for First Responders
– http://www.ncjrs.org/pdffiles1/nij/187736.pdf
1/13/13
10
Auburn University Digital Forensics 55 www.eng.auburn.edu/users/hamilton/security/
References • Bickers, Charles, 2001,”Cyberwar: Combat on the Web”, Far Eastern
Economic Review. • Casey, Eoghan, Digital Evidence and Computer Crime: Forensic
Science, Computer and the Internet,Academic Press, 2000. • Casey, Eoghan, 2002, Handbook of Computer Crime Investigation,
Academic Press. • Kovacich, G. L., and W. C. Boni, 2000, High-Technology Crime
Investigatot’s Handbook, Butterworth Heinemann. • Lane, C., 1997, Naked in Cyberspace: How to find Personal
Information Online, Wilton, CT: Pemberton Press. • Marcella, A. J., and R. S. Greenfield, 2002, Cyber Forensics,
Auerbach Publications. • Rivest, R., 1992, “Reqest for comments : 1321 (The MD5 Message-
Digest Algorithm)”, MIT Lab. for computer science and RSA data security, Inc.
• Saferstein, Richard, 1981, Criminalistics—An introduction to Forensic Science, 2nd edition, Prentice Hall.
• Warren, G. Kruse II and Jay G. Heiser, 2002, Computer Forensics – Incident Response Essentials, Addison Wesley