Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | lenard-farmer |
View: | 215 times |
Download: | 0 times |
Calvin College Seminar - Inforensics 1
Calvin College Seminar
INFORENSICS(INformation FORENSICS)
Scott L. KsanderSenior Inforensics Analyst/Engineer
Calvin College Seminar - Inforensics 2
What is Inforensics?
Conduct a repeatable and verifiable examination of “the computer” using established practices and procedures
Successfully communicate results of the examination to the “trier of fact”
Examiner must be a “teacher” as well as witness
Maturing from “black art” to “science”
Calvin College Seminar - Inforensics 3
Which item does not contain a computer?Which item does not contain a computer?
Calvin College Seminar - Inforensics 4
Some Background
Per UC Berkeley study, over 93% of all information produced in 1999 was in digital format.
124 million personal computers were sold worldwide in 2001
According to the Department of Commerce, 54% of all Americans used the Internet at least once during September of 2001
Nielsen/NetRating reports that 498 million people worldwide had internet access in their homes at the end of 2001
Per Cisco, there are seven new internet users every second
Cisco alone sells more than $28M in internet products daily
Estimated Internet based revenue for 2002 was over 1.2 TRILLION USD
Calvin College Seminar - Inforensics 5
Some Background
The Dean of Students at Purdue University estimates that 25% of all disciplinary cases involve some sort of computer evidence
The Director of the FBI now expects 50% of all cases handled by the FBI to involve at least one computer forensic examination
Local law enforcement agencies and prosecutors expect 20-40% of all cases will require information forensics
Calvin College Seminar - Inforensics 6
Calvin College Seminar - Inforensics 7
The Problem
Many people view cyberspace as “different” from the real world
Boundaries are invisible, therefore, jurisdictions are difficult to ascertain
All crimes can have a cyber dimension
Technology continues to rapidly develop, with new technologies/”opportunities” emerging all the time (e.g. “Web World” less than 4,500 days old)
Calvin College Seminar - Inforensics 8
“The Computer”
Computer as Target of the incident• Get to instructor’s test preparation• Access someone else’s homework• Access/Change a grade• Access financial information• “Denial of Service”
Computer as Tool of the incident• Word processing used to create plagiarized work• E-mail sent as threat or harassment• Printing used to create counterfeit material
Computer as Incidental to the incident• E-mail/file access used to establish date/timelines• Stored names and addresses of contacts or others potentially
involved in the incident
Calvin College Seminar - Inforensics 9
Inforensics Cases
Mischief
Copyright Violation
Academic Dishonesty
Harassment/Stalking
Identity Theft
Threats
Counterfeiting (IDs, Money, Checks)
Sexually Explicit Material/Child Porn
Rape
Murder
Calvin College Seminar - Inforensics 10
Traditional Reasons for Forensic Investigations
Fraud Investigation18%
Harassment6%
Information Theft15%
Hacking21%
Virus Damage9%
Sexually Explicit Material
19%
Other12%
Calvin College Seminar - Inforensics 11
General Types of Digital Forensics
“Network” Analysis• Communication analysis• Log analysis• Path tracing
Media Analysis• Disk imaging• MAC time analysis (Modify, Access, Create)• Content analysis• Slack space analysis• Steganography
Code Analysis• Reverse engineering• Malicious code review• Exploit Review
The “puzzle” is a combination of all the above pieces
Calvin College Seminar - Inforensics 12
Basic Methodology
The Three A’s• Acquire• Authenticate• Analyze
Calvin College Seminar - Inforensics 13
NIJ Guide
Electronic Crime Scene Investigation: A Guide for First Responders
http://www.ncjrs.org/pdffiles1/nij/187736.pdf
Calvin College Seminar - Inforensics 14
Minimum Standards
“First, do no harm” – protect the evidence
Assume nothing, check everything
Assign unique tracking number/ID for each piece of evidence
Write protect the media, make image copy to clean media with checksum verification (MD5)
Always work with evidence copy (even paper)
Journal all steps taken during analysis, document everything
Check media for “hostile code”
Print copies of relevant data found (yes, that can be a lot of paper!)
Prepare report of analysis (assume you will see it again in court)
Calvin College Seminar - Inforensics 15
General Practices
Document chain of custody
All software utilized needs to be licensed/authorized for use by the examiner and/or the examiner’s agency
Utilize tools with available source code to allow analysis of tool’s process
If at all possible, examiner must have access to hardware and software equivalent to system(s) under investigation
Always accurately document the procedures used
Investigating a crime does not give you license to break the law• Wiretapping is illegal, even when you own the equipment• Never “Hack Back”
Calvin College Seminar - Inforensics 16
General Defense Strategies
Not Me Defense (aka SODDI, TODDI)
Mind-Numbing Detail Defense
Indict the Examiner Defense (aka Dennis Fung Defense)
Calvin College Seminar - Inforensics 17
Image the System
Ghost• www.symantec.com
Safeback• www.forensics-intl.com
Encase• www.guidancesoftware.com
ILOOK• www.ilook-forensics.org
Open-Source Tools• md5sum, dd, netcat
Calvin College Seminar - Inforensics 18
Open-Source Tools
Pocket Security Toolkit• From @Stake• http://www.atstake.com/research/tools/pst/
Research Paper• http://www.atstake.com/research/reports/acrobat/
atstake_opensource_forensics.pdf
Calvin College Seminar - Inforensics 19
Analysis Tools
Encase• www.guidancesoftware.com
ILOOK• www.ilook-forensics.org
Open-Source Tools• TCT (The Coroner’s Toolkit)• Autopsy
Calvin College Seminar - Inforensics 20
Encase
Guidance Software
World leader in computer forensic solutions
0ver 10,000 licenses sold
Trained over 6,000 investigators
Headquartered in Pasadena, CA
Training Facilities• Pasadena, CA• Sterling, VA• Liverpool, UK
Calvin College Seminar - Inforensics 21
ILook Investigator
ILook Investigator is a forensic analysis tool used to analyze images of computer hard disk drives.
The software was written by Elliot Spencer and is provided free of charge to qualifying law enforcement agencies throughout the world.
The software is made available through the Electronic Crimes Program of the Internal Revenue Service.
“Please note - The ILook End User License Agreement (EULA) and program registration restrict the use of ILook to law enforcement agencies only. There are no exceptions. This software will not work unless you have successfully registered ILook and received your individual registration key.”
Calvin College Seminar - Inforensics 22
Open Source Issues
Legal Validation as evidence in court
Ability to dynamically adjust to fast changing technology• Fixes – either self-created or from the open source community• New features to address new, emerging such as new operating
systems versions/releases or storage technologies• Availability of new techniques developed and shared within the open
source community
Cost of software license (free)
Very limited documentation and training
Calvin College Seminar - Inforensics 23
Open Source Issues
Reliability of scientific evidence may require Daubert/Frye Hearing• Testing – can and has the procedure been tested?• Error Rate – is there a known error rate of the procedure?• Publication – has the procedure been published and subjected to peer
review?• Acceptance – is the procedure generally accepted in the relevant
scientific community?
There is debate about whether digital evidence falls under the Daubert guidelines as scientific evidence or the Federal Rules of Evidence as non-scientific technical testimony. (see Rule 901(b)(9) )
Calvin College Seminar - Inforensics 24
The Coroner’s Toolkit
www.fish.com/tct
Authors• Dan Farmer• Weitse Venema
Calvin College Seminar - Inforensics 25
TCT Programs
grave-robber
ils, icat, pcat, file, others
unrm
lazarus
mactime
Calvin College Seminar - Inforensics 26
Autopsy
http://www.atstake.com/research/tools/autopsy/
Author• Brian Carrier (a Purdue guy )
Calvin College Seminar - Inforensics 27
Computer People are from Mars
Law Enforcement is from Venus
Calvin College Seminar - Inforensics 28
Advantage of Computer People
Natural curiosity
“Obsessed” with detail
Problem/puzzle solving in their profession/passion
Intuitive thinkers
Look for “creative” solutions
Calvin College Seminar - Inforensics 29
Advantage of Law Enforcement
Trained investigators
Interviewing skills and creativity
Fact-finding is their life
Understanding the criminal psyche
Access to additional resources
Can tie things to other incidents
Broad data collection reach
Calvin College Seminar - Inforensics 30
So What Are The Laws?
Computer Fraud and Abuse Act, 18 USC 1030
Wiretap Act, 18 USC 2511
Electronic Communications Privacy Act, 18 USC 2701
Computer Trespass, IC 35-43-2-3
Computer Tampering, IC 35-43-1-4
Calvin College Seminar - Inforensics 31
So What Are The Laws?
Child Pornography, 18 USC 2252A
Criminal Copyrights, 18 USC 2319 & 17 USC 506(a)
Criminal Trademark, 18 USC 2320
Criminal Trade Secrets, 18 USC 1831, 1832
Treats and Harassment, 18 USC 844(e) & 875, 47 USC 223(a)(1)(C, E)
Fraud, drug dealing, other, etc.
Calvin College Seminar - Inforensics 32
Computer Fraud & Abuse Act
Criminalizes inflicting certain types of damage to a Protected Computer
• “protected computer” is one used by Federal government, financial institution, or one that affects interstate or foreign commerce or communications of the United States
• “damage” is any impairment to the integrity or availability of data, a program, a system, or information causing loss of $5,000 or more, impairment of medical records, injury, threat to public health, …
Calvin College Seminar - Inforensics 33
Network Crimes
Federal Wiretap Act• Covers the illegal interception in real time of voice and
electronic communications as they traverse networks
Electronic Communications Privacy Act• Covers the illegal access to certain stored voice and
electronic communications
Calvin College Seminar - Inforensics 34
Monitoring
Contents of Communication
Headers, logs, and other information
Real-time interception Wiretap Act Pen Register Statute
Access to stored communications
ECPA ECPA
Calvin College Seminar - Inforensics 35
Exceptions
Provider Exception, 18 USC 2511(2)(a)(i)
Consent, 18 USC 2511(2)(c)
Computer Trespasser Exception, 18 USC 2511(2)(i)
Calvin College Seminar - Inforensics 36
Provider Exception
Allows a system administrator to conduct reasonable monitoring:• To protect provider’s “rights or property”• When done in normal course of employment while
engaged in activity which is a “necessary incident to rendition of his service”
NOT a criminal investigator’s privilege
Calvin College Seminar - Inforensics 37
Consent Exception
Banner the network• “You have no reasonable expectation
of privacy on this network …”
Written consent of authorized users
Calvin College Seminar - Inforensics 38
Trespasser Exception
Allows law enforcement to intercept communications to or from “computer trespassers”
Even if trespasser is using system as a pass-through to other “downstream” victims
A “computer trespasser” • A person who accesses network “without
authority”• Excludes a person known by the provider to have
an existing contractual relationship with the provider for use of the system
Calvin College Seminar - Inforensics 39
IC 35-43-2-3
A person who knowingly or intentionally accesses a computer system, computer network, or any part of a computer system or computer network without the consent of the owner … commits computer trespass, a Class A misdemeanor
Calvin College Seminar - Inforensics 40
IC 35-43-1-4
A person who knowingly or intentionally alters or damages a computer system or data, which compromises a part of a computer system or computer network without the consent of the owner … commits computer tampering, a Class D felony. (C felony if terrorism, B felony if terrorism and results in serious bodily injury)
Calvin College Seminar - Inforensics 41
Who is Working on This?
High Technology Crime Investigation Association (HTCIA)
International Association of Computer Investigation Specialists (IACIS)
American Society of Crime Lab Directors
American Academy of Forensic Sciences
National Center for Forensic Science (NCFS, University of Central Florida)
Purdue University ITaP/CERIAS
Calvin College Seminar - Inforensics 42
Questions Before Elvis Leaves the Building?