Introduction to Digital Forensics - index-of.es

Introduction to Digital Forensics - index-of.es

1 Live Forensics Tutorial Part 1: Traditional Forensics Frank Adelstein, Ph.D. Technical Director, Computer Security, ATC-NY GIAC-certified Digital Forensics Investigator Golden G. Richard III, Ph.D. Professor, Dept. of Computer Science, University of New Orleans GIAC-certified Digital Forensics Investigator Co-Founder, Digital Forensics Solutions, LLC USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Course Overview The Big Picture

2 Introduction Traditional Forensics/Background Simple Network Forensics Main Focus: Live Forensics Demo Wrap-up USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 3 Instructor Background Frank: Forensics researcher, Ph.D. in computer science (OSU), R&D, GCFA certification, vice-chair DFRWS Golden: Professor, Ph.D. in computer science (OSU), teaches forensic courses, GCFA, founder Digital Forensic Solutions, LLC, chair DFRWS USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 4

Course Goals and Disclaimer Goals Gain an understanding of what information live forensic analysis can provide as well as its limitations See how live forensics fits into the big picture of other analysis techniques Disclaimers This is not legal advice 6 hours doesnt make you an expert USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Technical Definition: Digital Forensics

5 Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices. PLUS data recovery USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 6 Definition for the Masses Deleted information, on almost any kind of digital storage media, is almost never completely gone Digital Forensics is the set of tools and

techniques to recover this information in a forensically valid way (i.e., acceptable by a court of law) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 7 Motivation Deleted files arent securely deleted Recover deleted file + when it was deleted! Renaming files to avoid detection is pointless Formatting disks doesnt delete much data Web-based email can be (partially) recovered directly from a computer

Files transferred over a network can be reassembled and used as evidence USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 8 Motivation (2) Uninstalling applications is much more difficult than it might appear Volatile data hangs around for a long time (even across reboots) Remnants from previously executed applications Using encryption properly is difficult, because data isnt useful unless decrypted Anti-forensics (privacy-enhancing) software is mostly broken

Big magnets (generally) dont work Media mutilation (except in the extreme) doesnt work Basic enabler: Data is very hard to kill USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Traditional Digital Forensics Investigation 9 Whats possible? Recovery of deleted data Discovery of when files were modified, created, deleted, organized Can determine which storage devices were attached to a specific computer

Which applications were installed, even if they were uninstalled by the user Which web sites a user visited USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 10 Traditional (2) Whats not If digital media is completely (physically) destroyed, recovery is impossible If digital media is securely overwritten, recovery is very, very complicated, or impossible USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III Privacy Through Media Mutilation 11 or or or degausser USENIX Security 2007 forensically-secure file deletion software

(but make sure it works!) Copyright 2007 by Frank Adelstein and Golden G. Richard. III 12 Who Needs It? Law enforcement Prosecution of crimes which involve computers or other digital devices Defend the innocent Prosecute the guilty Must follow strict guidelines during entire forensics process to ensure evidence will be admissible in court Military Prosecution of internal computer-related crimes Own guidelines, many normal legal issues do not

apply USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 13 Who (2) Security agencies (e.g., Secret Service, CIA, FBI, NSA) Anti-terrorism efforts Some provisions for this effort relax traditional privacy guards More on this soon, but for example, typically search warrant is served and individual knows he is being investigated Patriot Act weakens some requirements for search warrants

USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 14 Who (3) General Employee misconduct in corporate cases What happened to this computer? For accidental deletion or malicious deletion of data by a user (or a program), what can be recovered? Need for strict guidelines and documentation during recovery process may or may not be necessary Privacy advocates What can be done to ensure privacy? Premise: Individuals have a right to privacy. How can

individuals ensure that their digital data is private? Very difficult, unless strong encryption is used, then storage of keys becomes the difficult issue USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 15 Digital Forensics: Goals (1) Identification of potential digital evidence Where might the evidence be? Which devices did the suspect use? Preservation of evidence On the crime scene First, stabilize evidenceprevent loss and contamination

Careful documentation of everythingwhats hooked up, how its hooked up If possible, make identical, bit-level copies of evidence for examination USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 16 Digital Forensics: Goals (2) Careful extraction and examination of evidence Directory and file analysis Presentation of results of investigation (if appropriate) The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore

HITLIST.DOC The suspect attempted to hide the Microsoft Word document HITLIST.DOC but I was able to recover it by correcting some filesystem bookkeeping information, without tampering with the file contents. Legal: Investigatory needs meet privacy USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 17 Digital Forensics: Constraints Order of volatility Some data is more volatile RAM > swap > disk > CDs/DVDs Idea: capture more volatile evidence first

Chain of custody Maintenance of possession records for all Must be able to trace evidence back to original source Prove that source wasnt modified USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 18 Legal Issues Admissible in court? Generally yes, but there is limited precedent. Shooting a moving target. But if it is consistent and no evidence gets created, it should be OK.

Legal to gather? Yes (with an appropriate court order) and yes for certain other circumstances Often it is the only way to gather information, as the court order may specify that machines cannot be taken down Network sniffing is considered a wire tap. Be careful! requires a Title III (18 USC 2510-2521) court order often hard to get same for incoming text messages on cell phones(!) (Disclaimer: Dont listen to me, consult a lawyer.) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 19 Legal issues (2)

Investigative needs vs. the right to privacy Search warrant laws, e.g., Fourth Amendment to the U.S. Constitution Fifth Amendment and Encryption Wiretap laws Chain of custody Admissibility of evidence in court: Daubert Essentially: Has theory or technique in question been tested? Is error rate known? Widespread acceptance within a relevant scientific community? Patriot Act Greatly expands governmental powers in terms of searching, wiretap w/o prior notification USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

20 Investigatory Process: Needs Acceptance Steps and methods are accepted as valid Reliability Methods can proven to support findings e.g., method for recovering an image from swap space can be shown to be accurate Repeatability Process can be reproduced by independent agents USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

21 Investigatory (2) Integrity Evidence is not altered (if at all possible) and can prove that was not altered (or measure the degree to which it was altered) Cause and effect Can show strong logical connections between individuals, events, and evidence Documentation Entire process documented, with each step explainable and justifiable USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 22 The Beginning: Incident Alert System administrator notices strange behavior on a server (slow, hanging) Intrusion detection system alerts administrator of suspicious network traffic Company suddenly loses a lot of sales Citizen reports criminal activity Computer repair center notices child pornography during a computer repair, notifies police

Murder, computer at the scene Murder, victim has a PDA Law enforcement: must investigate Corporate/military: may investigate, depending on severity, other priorities USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 23 Crime Scene Document, document, document! Photographs depicting the organization of equipment, cabling Detailed inventory of evidence

Proper handling procedures, turn on, leave off rules for each type of digital device e.g., for computer: Photograph screen, then disconnect all power sources Place evidence tape over each drive slot Photograph/diagram and label back of computer components with existing connections Label all connectors/cable ends to allow reassembly as needed If transport is required, package components and transport/store components as fragile cargo USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 24 Examples of Digital Evidence Computers increasingly involved in criminal

and corporate investigations Digital evidence may play a support-ing role or be the smoking gun Email Harassment or threats Blackmail Illegal transmission of internal corporate documents USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 25 Examples (2)

Meeting points/times for drug deals Suicide letters Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or attacks Use of a machine as a spam email generator Use of a machine to distribute illegally copied software USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 26

Sources of Digital Evidence Computers Email Digital images Documents Spreadsheets Chat logs Illegally copied software or other copyrighted material USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 27 Digital Evidence on a Disk Files Active

Deleted Fragments File metadata Slack space Swap file System information Registry Logs Configuration data USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 28 More Sources (1) Wireless telephones Numbers called Incoming calls Voice mail access numbers Debit/credit card numbers Email addresses Call forwarding numbers PDAs/Smart Phones Above, plus contacts, maps, pictures, passwords, documents, USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 29 More Sources (2) Landline Telephones/Answering machines Incoming/outgoing messages Numbers called Incoming call info Access codes for voice mail systems Contact lists Copiers Especially digital copiers, which may store entire copy jobs USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

30 More Sources (3) Video game systems Basically computer systems, especially XBox. GPS devices Routes, way-points Digital cameras Photos (obvious) but also video, arbitrary files on storage cards (SD, memory stick, CF, ) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

31 Preservation of Evidence Stabilize evidence Depends on device category, but must keep volatile devices happy Whenever possible, make copies of original evidence Write blocking devices and other technology to ensure that evidence is not modified are typically employed Careful! Not all evidence preservation devices work as advertised! Original evidence then goes into environmentallycontrolled, safe location Feeding of volatile devices continues in storage Copies of evidence are used for the next phase of investigation USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

32 On the Scene Preservation tickticktick Dear Susan, Its not your fault Just pull the plug? Move the mouse for a quick peek? Tripwires wireless connection Volatile computing USENIX Security 2007

Living room Basement/closet Copyright 2007 by Frank Adelstein and Golden G. Richard. III Careful Documentation is Crucial USENIX Security 2007 33 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 34 Preservation: Imaging When making copies of media to be

investigated, must prevent accidental modification or destruction of evidence! Write blockers: A good plan. Tools for imaging: dd under Linux DOS boot floppies Proprietary imaging solutions Drivelock write blocker USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 35 Analysis: Art, Science, Experience Know where evidence can be found

Understand techniques used to hide or destroy digital data Toolbox of techniques to discover hidden data and recover destroyed data Cope with HUGE quantities of digital data Ignore the irrelevant, target the relevant Thoroughly understand circumstances which may make evidence unreliable One example: Creation of new users under Windows 95/98 USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Traditional Computer: Wheres the Evidence?

36 Undeleted files, expect some names to be incorrect Deleted files Windows registry Print spool files Hibernation files Temp files (all those .TMP files in Windows!)

Slack space Swap files Browser caches Alternate or hidden partitions On a variety of removable media (floppies, ZIP, tapes, ) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 37 Analysis (1) Using copies of original digital evidence, recover as much evidence as possible Discovery of deleted files Discovery of renamed files

Recovery of data blocks for long-deleted files Discovery of encrypted material Creation of indices for keyword searches against slack space, swap file, unallocated areas Use cryptographic hash dictionaries to identify known important/irrelevant files USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 38 Analysis (2) File carving to recover deleted files, file fragments from unallocated space Discovery of known files using hash dictionaries, to eliminate operating system files, executables for popular application suites,

Categorization of evidence x JPEG files y Word files z encrypted ZIP files Application of password cracking techniques to open encrypted material Many of these processes can be automated USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

39 Analysis (3) Creation of a timeline illustrating file creation, modification, deletion dates For Unix filesystems: inode # timelines Unusual activity will then pop out on the timeline Careful! Clock skew, timezone issues, dead CMOS battery Viewing undeleted and recovered data meeting relevant criteria e.g., in a child pornography case, look at recovered JPEG/GIF images and any multimedia files Probably would not investigate Excel or financial documents Formulation of hypotheses and the search for additional evidence to justify (or refute) these hypotheses USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 40 QUICK FTK DEMO (Point and click digital forensics) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 41 FTK Screenshots: New Case USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 42 FTK Screenshots: Investigation Begins USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 43 FTK Screenshots: Case Summary USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

44 FTK Screenshots: Thumbnail View USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 45 An Investigative Sampler Impossible to illustrate many traditional forensics techniques in a short time Idea: quickly illustrate diversity of available techniques with a few examples Windows Registry Swap File

Hibernation File Recycle Bin Print Spool Files Filesystem Internals File Carving Slack Space (similar structures on Linux, Mac OS X, etc.) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 46 Windows Registry

Can be a forensics goldmine Lots of information, fairly difficult to clean Usernames Internet history Program installation information Recently accessed files USB device history In this tutorial, just a few examples USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

47 Accessing Registry Files (Live) Image the machine -- or Use Obtain Protected Files in the FTK Imager USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 48 FTK Registry Viewer

USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 49 NTUSER.dat file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 50 NTUSER.dat file USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 51 NTUSER.dat file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 52 NTUSER.dat file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

53 NTUSER.dat file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 54 NTUSER.dat file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 55

SAM file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 56 SOFTWARE file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 57 SOFTWARE file

USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 58 ** VERY IMPORTANT ** Select key chooses which control set is current, which is last known good configuration SYSTEM file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 59

SYSTEM file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 60 Two Jumpdrive Elite thumbdrives 750GB USB hard drives (same type) SYSTEM file USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

61 More Registry Other useful info obtainable from the registry: CPU type Network interface information IP addresses, default gateway, DHCP configuration, Installed software Installed hardware Registry information gotchas redundant, undocumented information profile cloning on older versions of Windows (95/98) (e.g., typed URLs, browser history, My Documents, ) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

62 File Systems Quick overview USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 63 File Systems Data Files Directories Metadata

Time stamps (modify, access, create/change, delete) Owner Security properties Structures Superblock/Master File Table/File Access Table inodes/clusters data USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 64 File Systems (2) More sophisticated data recovery requires deep knowledge of filesystem internals Structures that manage filesystem metadata

Disk layout File deletion issues Many important filesystems DOS / Windows: FAT, FAT16, FAT32, NTFS Unix: ext2, ext3, Reiser, JFS, more Mac: MFS, HFS, HFS+ This tutorial: ext2/3 + FAT But NTFS also very important Details of filesystem structures beyond scope of tutorial, see Carriers book File System Forensic Analysis for full descriptions USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 65

File Systems: ext2 and ext3 Efficient file system, supports indirect blocks (double and triple indirection) symbolic links sparse files Has MAC times, but no file creation time ext3 = ext2 + journaling for faster crash recovery and system boot file check Forensic artifacts from file deletion: ext2: content preserved, connection to name lost ext3: connection to content lost, metadata preserved USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 66

File Deletion: Linux ext2 file deletion Adjust previous directory entry length to obscure deleted record No reorganization to make space in directories first fit for new directory entries, based on real name length Directory entrys inode # is cleared ext3 file deletion Same as for ext2, but inode is wiped on file deletion, so block numbers are lost Major anti-forensics issue! But directory entrys inode # isnt cleared USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

67 File Systems: FAT FAT12, FAT16, FAT32 different size of addressable cluseter Common format for floppy disks (remember those?) Limited time/date information for FAT files Last write date/time is always available Creation date/time is optional and may not be available Last access DATE ONLY is optional and may not be available Short file names (8.3) on FAT12 and FAT16 No security features Long names for FAT32 USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 68 FAT: Short Filename Storage foo.bar FOO.BAR Foo.Bar foo

foo. PICKLE.A prettybg.big Note case is not significant . between primary filename and extension is implied (not actually stored) Further, everything is space-padded USENIX Security 2007 -> ->

-> -> -> -> -> FOO BAR FOO BAR FOO BAR FOO FOO PICKLE A PRETTYBGBIG

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 69 FAT: More Dir Entry Details Date format: Bits 04: Day of month, valid value range 1-31 inclusive. Bits 58: Month of year, 1 = January, valid value range 112 inclusive. Bits 915: Count of years from 1980, valid value range 0127 inclusive (19802107). Time Format: A FAT directory entry time stamp is a 16-bit field that has a granularity of 2 seconds Bits 04: 2-second count, valid value range 029 inclusive (0 58 seconds).

Bits 510: Minutes, valid value range 059 inclusive Bits 1115: Hours, valid value range 023 inclusive USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 70 FAT: Long Filenames Summary: a kludge to add support without changing short-name handling Up to 255 characters in pathname component Total pathname no longer than 260 More supported characters Leading/trailing spaces ignored Internal spaces allowed Leading/embedded . allowed Trailing . are ignored

Stored case-sensitive Processed case-insensitive (for compatibility) File created with short name (uses ~1, ~2, etc. suffix) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 71 File Systems: NTFS Master File table grows, never shrinks (artifacts!) B-tree algorithm used for file tree re-balances file system tree when tree changes creating or deleting a file can cause entire tree to change and can overwrite nodes that were marked as free but still had information in them can destroy artifacts!

lots of attributes on files, can be confusing (e.g., which access time is the official one to use) most useful attributes are MAC times USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 72 File Systems: Partitions Physical disk divided into logical partitions Logical partitions may not be mounted or may be in a format the running O/S does not recognize (e.g., dual boot system) Formats:

DOS (most common) Apple Solaris BSD RAID (can cause difficulties for investigators if disk slices have to be reconstructed manually) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 73 File System Forensic Artifacts Active files

contents (data blocks) metadata (owner, MAC times) permissions (ACLs) who is using it now (not in a static analysis) Deleted files full contents (sometimes, depends on usage) partial contents (via carving) metadata (sometimes, depends on O/S) deletion times USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

74 File Deletion: Windows FAT file deletion Directory entry has first character changed to 0xE5 Directory entry contains first cluster number (index into FAT); this isnt lost when file is deleted Other FAT entries for file are cleared NTFS file deletion IN_USE flag on MFT entry for file is cleared Parent directory entry is removed and directory is re-sorted

Data clusters marked as unallocated Filename is likely to be lost, but since MFT entry isnt destroyed, file data may be recoverable Dates arent lost Caveat: NTFS reuses MFT entries before creating new ones, so recoverable deleted files are probably recently deleted ones USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 75 File Rename, Move When a file is renamed under Windows, old directory entry is deleted and new one created Starting cluster is the same for each

Establishing that a user moved or renamed a file can provide evidence that the user knew of the files existence USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 76 Useful Files with Forensic Content USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 80

Windows Shortcut Files In Desktop, Recent, etc. directories *.lnk files Give information about configuration of desktop Existence of desktop shortcuts (even if the shortcut files are deleted) can establish that user knew of the existence of the files establish that user organized files e.g., can be used to dismiss claims that child pornography or illegal copies of software were accidentally downloaded in a bulk download operation

USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 81 Windows Swap Files Supports Windows virtual memory system Contains swapped out pages corresponding to executing processes NT, Win2000, XP Generally, c:\pagefile.sys Hidden file 95/98 c:\windows\win386.swp Hidden file USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 82 Windows Swap File: Overview Potentially, contains a lot of junk File carving or keyword searches against the raw disk will yield a

superset of the information in the swap file (obviously) May be useful to target swap file directly, particularly on large drives Careful! Keyword matches against the swap file DO NOT necessarily mean that the corresponding strings were in pages swapped out during the last boot! When the swap file is created, the underlying blocks arent cleaned As the swap file is reused, not all blocks are cleaned Swap file can create a jail, where e.g., deleted file data from the browser cache end up trapped in the set of blocks allocated to the swap file Blocks may not be overwritten even during months of use! USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 83

Swap File Snippets JPEG carved out of XP swap file, corresponds to an Adobe file that was open during last boot of target machine USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 84

Swap File Snippets (2) Deleted file from IE cache jailed by creation of swap file This file created and deleted before swap file was even enabled on target machine! Months old! USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 85

Hibernation Files Memory image of XP box, created at shutdown Allows fast restart Hibernation file locked during OS execution Approximately the size of physical RAM (e.g., 2GB RAM == ~2GB hibernation file) Potentially much more interesting than swap file, since it allows the last on state of the machine to be recreated USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 86 Hibernation (2) Can search hibernation file for interesting strings, including URLs, passwords, etc. First block of file is zero-filled after boot, so you get one chance to boot the machine again, unless you have a backup of the hibernation file Remainder of hibernation file remains unchanged until another hibernation event occurs Means that you may be able to recover interesting information that is quite old USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

87 Windows Recycle Bin Indirect file deletion facility Mimics functionality of a trashcan Place garbage into the can You can change your mind about the garbage and remove it, until trash is emptied, then its gone Files are moved into a special directory Deleted only when user empties USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 88

Windows Recycle Bin: Closer Look In Win2K/XP, \RECYCLER In 95/98, \RECYCLED On dragging a file to recycle bin: File entry deleted from directory File entry created in recycle bin directory Data added to INFO/INFO2 file in the recycle bin INFO file contains critical info, including deletion time Presence of deletion info in INFO file generally indicates that the file was intentionally deleted USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 89

INFO file: Closer Look INFO file is binary, but format is documented For each file in the recycle bin, contains: Original pathname of file Time and date of file deletion New pathname in the recycle bin Index in the recycle bin Can be used to establish the order in which files were deleted Popular commercial forensics packages parse INFO files

e.g., Encase USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 90 Windows Print Spool Files *.spl, *.shd files .shd file contains information about the file being printed .spl file contains info to render the contents of the file to be printed Presence of .shd files can be used in a similar fashion as for shortcut files shows knowledge of existence of files and a deliberate attempt to access (print) the contents of the file

USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 91 Slack Space (Simplified View) MOM.TXT: Dear Mom, Dropped the hamster. Didnt mean to kill Herbie! Dear Mom, Dropp ed the hamster. D idnt mean to kill He rbie! << file is deleted and storage is reallocated>> SORRY.TXT: Its sad news about Henrietta. Call me. Its sad news about Henrietta. Call m e.nt mean to kill He rbie USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 92 Analysis: Evidence Correlation Chat logs for IRC channel catering to trading of illegally copied software File creation dates for illegal software close to those of the chat session Bulk downloads of illegal images followed by categorization of images Incriminating categories (e.g., directories)? Correlation is still largely a human task

USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 93 Analysis: Challenges (1) Digital evidence: incomplete view of communication Example: Digital communication event between two human beings Primary method: EMAIL Hundreds or thousands of keystrokes and mouse clicks, which were probably not captured Draft copies of email which may not represent the actual message that was sent Fragments of email in browser cache (for web-based email) Attachments? Secondary communication streams during event?

Messenger programs (e.g., Im sending you that suicide letter I wrote as my creative writing project) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 94 Analysis: Challenges (2) Interactions with other computers Internet makes investigation much more difficult Use of encryption, steganography Secure deletion

Luckily (?) some secure deletion software is horribly broken Operating systems features! e.g., ext3 filesystem in Linux Secure recycle bin in Mac OS X Criminals are getting smarter, many current investigative techniques will need to be improved USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 95 Reporting Case reports must included detailed explanations of every step in the investigative process

Detail must be sufficient to recreate the entire process A keyword search on heroin revealed a deleted email message with an attachment as well as a number of other email messages in which an alias was used by the defendant The attachment on the matching email file was an encrypted ZIP archive named credits.zip Attempts to crack the ZIP password using the Password Recovery Toolkit failed to reveal the password, so a number of aliases used by the suspect in the emails were tried as passwords trainspotter was discovered to be the ZIP password Located inside the ZIP file was a text file with a number of credit card numbers, none of which were found to belong to the defendant USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

More Sophisticated Dead Analysis 96 File carving Better auditing of investigative process Better (automated) correlation of evidence Better handling of multimedia Distributed digital forensics Massively threaded digital forensics tools

e.g., GPUs, multicore CPUs USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 97 File Carving: Basic Idea unrelated disk blocks one cluster interesting file one sector header, e.g., 0x474946e8e761

(GIF) footer, e.g., 0x003B (GIF) milestones or anti-milestones USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 98 File Carving: Fragmentation header, e.g.,

0x474946e8e761 (GIF) footer, e.g., 0x003B (GIF) milestones or anti-milestones USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 99 File Carving: Fragmentation

footer, e.g., 0x003B (GIF) USENIX Security 2007 header, e.g., 0x474946e8e761 (GIF) Copyright 2007 by Frank Adelstein and Golden G. Richard. III 100 File Carving: Damaged Files No footer header, e.g.,

0x474946e8e761 (GIF) milestones or anti-milestones USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 101 File Carving: Block Sniffing header, e.g., 0x474946e8e761 (GIF)

Do these blocks smell right? N-gram analysis entropy tests deep analysis USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 102 Better Auditing USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 103

Beowulf, Slayer of Computer Criminals USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 104 But Evidence is Also Improving performance and sophistication of dead forensics is important, but evidence is also In the network In RAM On machine-critical machines Cant turn off without severe disruption Cant turn them ALL off just to see!

On huge storage devices 1TB server: image entire machine and drag it back to the lab to see if its interesting? 10TB? USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 105 Simple Network Forensics Obtain another piece of the puzzle Find information on what happened by looking in the network packet flow Information can be used to: Reconstruct sessions (e.g., web, ftp, telnet, IM) Find files (downloaded or accessed through network drives)

Find passwords Identify remote machines USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 106 Constraints Legal While there is a wealth of information on the network, there are MANY legal constraints relating to wire-tapping, e.g., Computer Fraud and Abuse Act (18 U.S.C. 1030) Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. 2703 et seq) "wire communication" (18 U.S.C. 2510) plus state laws

May depend on what information you collect, whether it is part of the normal practices, whether there is any reasonable expectation to privacy, etc. The laws can be subtle Consult an expert first and have a policy defined ahead of time! USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 107 Constraints Technical tapping the right line switched vs. flat networks

determining proper IP addresses IP addresses may change over time corroborating evidence with: log files evidence obtained from traditional forensic evaluation evidence obtained from live forensic evaluation encrypted data USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 108 Typical Scenario Dead forensics information incomplete discovered to be incomplete predicted to be incomplete

Non-local attacker or local user using network in inappropriate fashion Generally, another event triggers network investigation Company documents apparently stolen Denial of service attack Suspected use of unauthorized use of file sharing software Cyberstalking or threatening email USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 109 Information Available Summary information (router flow logs)

Routers generally provide this information Includes basic connection information source and destination IP address and ports connection duration number of packets sent No content! Can only surmise what was sent Can establish that connections between machines were established Can corroborate data from log files (e.g., sshing from one machine to another to another within a network) Unusual ports (rootkits? botnet?) Unusual activity (spam generator?) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 110

Information Available (2) Complete information (packet dumps) from programs like Ethereal/Wireshark, snort, tcpdump on an active net, can generate a LOT of data can provide filter options so programs only capture certain traffic (by IP, port, protocol) includes full contentcan reconstruct what happened (maybe) reconstruct sessions reconstruct transmitted files retrieve typed passwords identify which resources are involved in attack BUT no easy way to decrypt encrypted traffic USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

111 Information Available (3) Port scans (nmap, etc.) Identifies machines on your network Often can identify operating system, printer type, etc., without needing account on the machine OS fingerprinting Identifies ports open on those machines Backdoors, unauthorized servers, Identifies suspicious situation (infected machine, rogue computer, etc.) nmap: lots of options USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 112 Analysis Does not exist in a vacuum Link information in analysis to network and host log files who was on the network who was at the keyboard what files are on the disk and where Look up the other sites (who are they, where are they, whats the connection) Otherwise, network traces can be overwhelming Potentially huge amounts of data Limited automation! USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 113 Normal ICMP Traffic (tcpdump) Pings IP IP IP IP IP IP IP IP BOUDIN.mshome.net > www.google.com: www.google.com > BOUDIN.mshome.net:

BOUDIN.mshome.net > www.google.com: www.google.com > BOUDIN.mshome.net: BOUDIN.mshome.net > www.google.com: www.google.com > BOUDIN.mshome.net: BOUDIN.mshome.net > www.google.com: www.google.com > BOUDIN.mshome.net: icmp icmp icmp icmp icmp icmp icmp icmp 40: 40:

40: 40: 40: 40: 40: 40: echo echo echo echo echo echo echo echo request seq 6400 reply seq 6400

request seq 6656 reply seq 6656 request seq 6912 reply seq 6912 request seq 7168 reply seq 7168 Host unreachable xyz.com > boudin.cs.uno.edu: icmp: host blarg.xyz.com unreachable Port unreachable xyz.com > boudin.cs.uno.edu: icmp: blarg.xyz.com port unreachable Copyright 2007 by7777 Frank Adelstein and Golden G. Richard. III

USENIX Security 2007 114 HTTP Connections 3-way TCP handshake as laptop begins HTTP communication with a google.com server IP tasso.1433 > qb-in-f104.google.com.80: S 3064253594:306425359 4(0) win 16384 IP qb-in-f104.google.com.80 > tasso.1433: S 2967044073:296704407 3(0) ack 3064253595 win 8190 IP tasso.1433 > qb-in-f104.google.com.80: . ack 1 win 17520 USENIX Security 2007

Copyright 2007 by Frank Adelstein and Golden G. Richard. III 115 Fragmentation Visualization Fragmentation can be seen by tcpdump whatever.com > me.com: icmp: echo request (frag 5000:[email protected]+) whatever.com > me.com: (frag 5000:[email protected]) ID Note that 2nd frag isnt identifiable as ICMP echo request USENIX Security 2007 offset

size more frags flag Copyright 2007 by Frank Adelstein and Golden G. Richard. III nmap 137.30.120.* 116 Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-10-24 19:32 Interesting ports on 137.30.120.1: Not shown: 1679 closed ports PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:0D:ED:41:A8:40 (Cisco Systems)

All 1680 scanned ports on 137.30.120.3 are closed MAC Address: 00:0F:8F:34:7E:C2 (Cisco Systems) All 1680 scanned ports on 137.30.120.4 are closed MAC Address: 00:13:C3:13:B4:41 (Cisco Systems) All 1680 scanned ports on 137.30.120.5 are closed MAC Address: 00:0F:90:84:13:41 (Cisco Systems) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III nmap 137.30.120.* 117 Interesting ports on mailsvcs.cs.uno.edu (137.30.120.32):

Not shown: 1644 closed ports PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp

open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 512/tcp open exec

Copyright 2007 by Frank Adelstein and Golden G. Richard. III USENIX Security 2007 Wireshark (aka Ethereal) 118 Packet listing Detailed packet data at various protocol levels

USENIX Security 2007 Raw data Copyright 2007 by Frank Adelstein and Golden G. Richard. III Wireshark: Following a TCP Stream USENIX Security 2007 119 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Wireshark: FTP Control Stream USENIX Security 2007

120 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Wireshark: FTP Data Stream USENIX Security 2007 121 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Wireshark: FTP Data Stream USENIX Security 2007 122

Copyright 2007 by Frank Adelstein and Golden G. Richard. III Wireshark: Extracted FTP Data Stream USENIX Security 2007 123 Copyright 2007 by Frank Adelstein and Golden G. Richard. III Wireshark: HTTP Session 124 save, then trim away HTTP headers to retrieve image

Use: e.g., WinHex USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 125 Conclusion: Network Analysis Potentially a source of valuable evidence beyond that available from dead analysis By the time an incident occurs, may have lost the change to capture much of the interesting traffic Challenging: huge volumes of data Again, only one part of a complete investigative strategy This introduction didnt include stepping stone

analysis, many other factors (limited time) USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III 126 END OF Background Material NEXT: Live Forensics USENIX Security 2007 Copyright 2007 by Frank Adelstein and Golden G. Richard. III

Recently Viewed Presentations

  • Defects of BCH - IEEE Standards Association

    Defects of BCH - IEEE Standards Association

    Defects of BCH IEEE P802.22 Wireless RANs Date: 2008-03-15 Authors: Notice: This document has been prepared to assist IEEE 802.22. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s).
  • MICROSCOPE - Denton ISD

    MICROSCOPE - Denton ISD

    MICROSCOPE. Arm - this attaches the eyepiece and body tube to the base. Base - this supports the microscope. ... Revolving nosepiece - the rotating device that holds the objectives (lenses). Stage - the platform on which a slide is...
  • Ap Seminar

    Ap Seminar

    On a blank sheet of paper, group members will record any thoughts regarding stimulus, perspectives, lenses, sources, insights, counter-claims, connections, limitations, solutions and/or questions relating to North's topic/research. ... Ap Seminar Last modified by:
  • Fahrenheit 451 - Weebly

    Fahrenheit 451 - Weebly

    Fahrenheit 451. Our world. In Fahrenheit 451, the firemen frequently burn books. While the flapping pigeon-winged books died on the porch and lawn of the house. While the books went up in whirls and blew away on a wind turned...
  • Terson&#x27;n syndrome

    Terson'n syndrome

    Introduction. Terson's syndrome is the association of vitreous or retinal haemorrhage with subarachnoid haemorrhage (SAH). The diagnosis is typically made fundoscopically.
  • Title

    Title

    To increase effectiveness by means of operations automation in a paperless procedures. ... PCS is like a virtual table formed by the port community. A PCS is a system that can be viewed as a "virtual table" formed by the...
  • Introduction to Literature in English

    Introduction to Literature in English

    Literature can be defined as 'pieces of writing that are valued as works of art, especially novels, plays and poems'. (Oxford Advanced Learner's English Dictionary). This is a very narrow definition of literature as non-fiction literature is not included in...
  • Wolfgang Wildgen The Evolution of Meaning and Discourse

    Wolfgang Wildgen The Evolution of Meaning and Discourse

    Wolfgang Wildgen The Evolution of Meaning and Discourse Cognitive Science Case Western Reserve University, 3rd of October 2007 Contents 1. Introduction: Catastrophic transitions in the evolution of life 2.