Computer Forensics -...

Cybersecurity HS Summer Camp

Computer Forensics

HS Summer Camp | Computer Science Department | University of Puerto Rico - RP

A branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.

The goal of computer forensics is to examine digital media applying the scientific method with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Computer Forensics


When we use the term Computer Forensics we specifically mean the application of the scientific method in reconstructing a sequence of events involving computers and information.

In other words, can we figure out, after the fact, what happened in an information system.

Computer Forensics


One of our servers has been compromised, and we'd like to know how it was done

We don't know whether we've been compromised, and we'd like to check if everything is ok.

You recover a computer and you want to know what kind of shenanigans was done with it.

Forensic Scenarios


Essentially says that in the commission of a crime, the perpetrator leaves something at the crime scene, and takes away with him something from the crime scene. These "somethings" are evidence.

This principle holds in the digital world as well, and it holds whether you are perpetrating a crime or not.

Locard’s Exchange Principle


In the server evidence is left in the web server logs.

In the client side the browser brings cookies, caches a copy of the website, and keeps a history of the website visits.

Evidences: visiting a website


To view the browser history just:

History -> Show Full History

To view the cache:

Type about:cache in the chrome address bar

Evidences: (History & Cache)


In the server evidence is left in the web server logs.

72.50.87.234 - - [15/Apr/2015:15:34:24 -0400] "GET /~jortiz/ HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36"

72.50.87.234 - - [15/Apr/2015:15:34:17 -0400] "GET /~jortiz/salon.jpg HTTP/1.1" 206 1552541 "http://ada.uprrp.edu/~jortiz/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36"

72.50.87.234 - - [15/Apr/2015:15:34:33 -0400] "GET /~hortiz/ HTTP/1.1" 200 404 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36"

Evidences: visiting a website


Evidence is left in the web server logs. If the injections were carried out by GET requests then even the injection is recorded.

The injections has to be stored in the server either in a database or in the file system, and they can also be seen in the website source.

In the client side the request are recorded in the history of the browser. The user might have the source of the injection somewhere in the client file system.

Evidence: Injection attacks


72.50.87.234 - - [15/Apr/2015:15:43:12 -0400] "GET /~jortiz/cyber/lec.css HTTP/1.1" 200 797 "http://ccom.uprrp.edu/~jortiz/cyber/injection/mb.cgi?msg=%3Cscript%3Ealert(1)%20;%3C/script%3E" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36"

Evidence: Injection attacks


In the server evidence is left in the mail server log. The email is stored in the server until deleted from the sent directory.

In the client the emails might also be cached so you can see it when offline.

Inside the email headers the server leaves a trail of evidence that includes the source computer of the email, the servers that have relayed the email until its destination, and even the applications that have scanned the email.

Evidence: Sending Email


In the server evidence is left in the mail server log. The email is stored in the server until deleted from the sent directory.

Apr 15 16:05:16 ccom postfix/smtpd[20964]: connect from unknown[136.145.181.66]Apr 15 16:07:25 ccom postfix/qmgr[1005]: 024BF5FBA0: from=<[email protected]>, size=237, nrcpt=1 (queue active)

Apr 15 16:07:25 ccom postfix/local[20971]: 024BF5FBA0: to=<[email protected]>, relay=local, delay=50, delays=50/0.11/0/0.05, dsn=2.0.0, status=sent (forwarded as 5156B5FBA5)

Apr 15 16:07:25 ccom postfix/qmgr[1005]: 5156B5FBA5: from=<[email protected]>, size=380, nrcpt=1 (queue active)

Apr 15 16:07:25 ccom postfix/qmgr[1005]: 024BF5FBA0: removed

Apr 15 16:07:50 ccom postfix/smtpd[20964]: disconnect from unknown[136.145.181.66]



Inside the email headers the server leaves a trail of evidence:

Delivered-To: [email protected]: from localhost (localhost [127.0.0.1]) by mail.hpcf.upr.edu (Postfix) with ESMTP id A6AF22EEFC4 for <[email protected]>; Wed, 15 Apr 2015 16:34:15 -0400 (AST)X-Virus-Scanned: amavisd-new at hpcf.upr.eduAuthentication-Results: mail.hpcf.upr.edu (amavisd-new); dkim=neutral reason="invalid (public key: DNS query timeout for 20120113._domainkey.gmail.com)" header.d=gmail.comReceived: from mail.hpcf.upr.edu ([127.0.0.1]) by localhost (mail.hpcf.upr.edu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dLCrK4yX6z4P for <[email protected]>; Wed, 15 Apr 2015 16:34:00 -0400 (AST)Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.213.176;

helo=mail-ig0-f176.google.com; [email protected]; [email protected]



Inside the email headers the server leaves a trail of evidence:Received: from mail-ig0-f176.google.com (mail-ig0-f176.google.com [209.85.213.176]) by mail.hpcf.upr.edu (Postfix) with ESMTP id 60D6C2EEFBA for <[email protected]>; Wed, 15 Apr 2015 16:33:59 -0400 (AST)Received: by igbpi8 with SMTP id pi8so62602896igb.0 for <[email protected]>; Wed, 15 Apr 2015 13:25:21 -0700 (PDT)X-Received: by 10.50.50.148 with SMTP id c20mr895502igo.0.1429129521626; Wed, 15 Apr 2015 13:25:21 -0700 (PDT)Received: by 10.64.30.36 with HTTP; Wed, 15 Apr 2015 13:25:21 -0700 (PDT)Date: Wed, 15 Apr 2015 16:25:21 -0400Message-ID: <CADXci7cRsgLnyfCR-JeE_0m+sDHypRGujXcVRGfC7ktOiSwUJw@mail.gmail.com>Subject: Estoy es una pruebaFrom: Jose Ortiz <[email protected]>To: Jose Ortiz <[email protected]>Content-Type: multipart/alternative; boundary=047d7bd764be7986390513c925e7



Successful and failed login attempts are logged in the server log files.

Apr 15 16:37:41 ada sshd[21214]: Accepted password for jortiz from 72.50.87.234 port 50027 ssh2

Apr 15 16:37:41 ada sshd[21214]: pam_unix(sshd:session): session opened for user jortiz by (uid=0)

Apr 15 16:35:22 ada sshd[21135]: Failed password for estudiante from 64.237.236.165 port 41973 ssh2

Apr 15 16:35:27 ada sshd[21136]: Connection closed by 64.237.236.165

Evidence: remote login


In the terminal, the executed commands are also logged.

The user can use the command history to list the commands that he/she has executed.

$ history | head 5 clear 6 ./cmparser 7 ./cmparser 8 exit 9 cd 10 cd Documents/ 11 ls



The sysadmins can use lastcomm, if the pacct service is on, which will also display the commands executed in the server.

# lastcomm | head

lastcomm root pts/7 0.00 secs Wed Apr 15 16:42

bash F root pts/7 0.00 secs Wed Apr 15 16:42

id root pts/7 0.00 secs Wed Apr 15 16:42

grep root pts/7 0.00 secs Wed Apr 15 16:42



grep jortiz pts/4 0.00 secs Wed Apr 15 15:27



Most file processing applications such as Word, Acrobat reader, and even the browsers keep a list of recently opened files.

Evidence: Applications


Most file formats include meta-data fields that usually stores information like the application used to create the file, the author of the file, and author information.

Evidence: Files


Is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. [forensicswiki.org]

Is a powerful tool for recovering files and fragments of files from a physical storage device when directory entries are corrupt or missing.

I.E. files have been deleted, the device has been erased, or the device has been partially destroyed.

File Carving


A storage device (hard drive, thumb drive, etc) is nothing more than a huge sequence of bytes.

We can refer to a specific byte by its offset, i.e. its distance from the initial byte.

The initial byte has offset 0, the next offset 1, and so forth.

Storage Device or drive


Contains a record for each file of its name, the byte offset at which it begins, and the byte offset at which it ends; as well as records that indicate what directories (folders) there are, and which directory each file belongs in. Some of the bytes on the drive are used to represent the filesystem.

Formatted Drive - file system


The file system only contains information about the files, the actual files themselves are (usually) nothing more than a chunk of consecutive bytes on the drive.

Formatted Drive - files


free or unallocated space — these are the bytes on the drive that are not currently being used to store information either as part of the file system or as part of a file.

When new files are created, bytes from the unallocated space are commandeered to store the new file.

Formatted Drive - free space


When you tell the operating system to delete a file, all it really means is that

• the filesystem structure's record of that file (its name, the byte offset it starts at and the byte offset it ends at) is destroyed, and

• the bytes that constitute the file itself are simply reclassified as "unallocated space".

Deleting a File


Since when a file is deleted it is simply categorized as “unallocated”, which means they are available for use in representing new files.

A file that has been deleted is recoverable up until the time that its bytes are commandeered for other purposes.

File Recovery


When a file is deleted, the file's name and the offsets at which it begins and ends are no longer available.

We need to find where the file begins and ends, and that is file carving.

File Recovery


To carve a file from a block of bytes, you'll need to look for the header (and, depending on the file type, the footer) of the file.For example, the header (in hex) for a PNG file is 89 50 4e 47 and the footer is 49 45 4e 44 ae 42 60 82.

File Carving

Date post:	23-May-2018
Category:	Documents
Upload:	doxuyen
View:	214 times
Download:	1 times