Computer Forensics handouts
Computer Forensics
Tim Louwers, Ph.D., CPA, CIA,
CISA
Kenny Reynolds, Ph.D., CISSP
Louisiana State University
Computer Crime
Types of Computer Crimes
– Hacking/cracking, network intrusion
– Computer virii
– Harassment and cyberstalking
– Industrial espionage, insider crimes
– Employee misconduct
– Child porn
– Pirated software
Basically, any crime that is aided or abetted
by a computer
2
Examples
Hackers reroute phone lines to guarantee
winning radio giveaway.
– Two Porsches and $30,000
Network Program Designer unleashes $10
million computer “bomb.”
– Bomb permanently deleted all of the company’s
sophisticated software programs.
Three Drexel frat brothers “fix” horse race
– Prosecutors called it a real-life version of "The
Sting" -- an insider exploiting a hole in
computer security to create a sure-thing horse
racing bet worth more than $3 million.
3
Computer Forensics Defined
“The employment of a set of predefined
procedures to thoroughly examine a computer
system using software and tools to extract and
preserve evidence of criminal activity.” --The
SANS (SysAdmin, Audit, Network, Security) Institute
“The application of computer investigation and
analysis techniques in the interests of
determining potential legal evidence." -- Judd
Robbins (Computer Forensics Investigator)
“The science of acquiring, preserving,
retrieving, and presenting data that has been
processed electronically and stored on computer
media.” – The Federal Bureau of Investigation
4
Computer Forensics
Computer is used as a storage media
-- evidence can be retrieved even
when the data is deleted.
Useful aid in law enforcement.
– Tracking terrorists
– Impeaching Presidents
– Tracing computer virus creators
Potential deterrent to computer
criminals?
5
Evidence that can be found
with Computer Forensic
Techniques
All existing data in the computer's directory
structure.
Any deleted files which have not yet been
overwritten by the operating system.
Deleted emails.
Pages recently printed on the suspect's printer.
Renamed files.
Application software.
Specific words, numbers, etc.
Recently accessed web sites.
Passwords to commonly used
programs/websites.
Password protected files.
6
I.
Search and Seizure:
4th Amendment: "Reasonable
Expectation of Privacy"
A search is constitutional if it does not
violate a person's "reasonable" or
"legitimate" expectation of privacy.
“Closed container” rule
– The Fourth Amendment generally prohibits law
enforcement from accessing and viewing
information stored in a computer without a
warrant if it would be prohibited from opening a
“closed container” (e.g., briefcase or file cabinet)
and examining its contents in the same situation.
7
I. Search and Seizure:
Intelligence Gathering
Is there a computer
in use?
What kind of
computer and
operating system?
What evidence do
you want?
How sophisticated is
the suspect?
8
I. Search and Seizure: The
• Control the scene
Raid
• Time the raid so that you have control.
• Control individuals
• Separate suspects from the equipment.
• Control others present even if they are not suspects.
• Identify potential evidence
• Know what you are looking for.
• Eliminate threats
• Assess the possibility that the system can be
controlled from a remote system...
• Eliminate this threat immediately!!!
9
II. Processing the
Scene
CRIME SCENE
CRIME SCENE
CRIME SCENE
10
II. Processing the Scene
(Continued)
Document! Document!! Document!!!
– The individual who occupies the office
– The name of the employees that may have
access to the office
– The location of the computer system in the
room
– The state of the system (whether it is powered
on, and what is visible on the screen)
– The people present at the time of the raid
– The serial number, models, and makes of the
hard drives and components of the system
– The peripherals attached to the systems
11
II. Processing the Scene
(Continued)
On-screen activity -- Power down or not?
Is the activity destructive?
– Yes -- Stops/Freezes further data loss if self-destructing software in use
Is there anything of evidentiary value?
– No -- You will lose anything that’s in memory
– Verify system info (date and time)
– Capture process listings and open files
12
II. Processing the Scene
(Continued)
Wear surgical gloves
Photograph
– Books
– Papers
– Notes
– Hardware
Note position of all manuals
Seize all manuals
Sketch entire PC, including
connections
13
II. Processing the Scene
(Continued)
Tag and label all physical
components and record
identifying information.
Clearly label components with a
"DON'T TOUCH OR OPERATE"
warning!
Only disassemble enough to
facilitate transport.
Pack and pad components in
boxes with static resistant
packing.
14
II. Processing the Scene
(Continued)
Identify Network connections (LAN,
WAN, DSL, Cable) and disable.
Tag both ends of all wires, even if
one end of the wire is not connected
to anything!
Be aware of wireless networks.
Disconnect phone and modem lines.
– Mark each line so you know where it
came from.
– Do NOT unplug power for memory
phones, fax machines, modems, caller
ID boxes.
15
III. Preserving the
Evidence
Typical kinds of evidence in computer
forensics
– Computer log files
• Successful and failed logins, website hits, access
logs, error logs, etc.
– Other access records
• Phone records, physical access logs
– E-mail communications
– Electronic storage media
• Hard drive, floppy disks, CDs, tapes, other media
– Hardcopy records
16
III. Preserving the
Evidence
Evidence Life Cycle:
–
–
–
–
–
Collection and Identification
Analysis
Storage, Preservation, Transportation
Presentation
Return (if applicable)
Thou shall not alter the evidence in any way. Ensure
that:
– No evidence is damaged, destroyed, or otherwise
compromised.
– Evidence is properly handled and protected
– Information which must remain private does so:
• Any client-attorney information that is inadvertently acquired
• Information which would require a warrant must have one
17
III. Preserving the
Evidence:
Protecting data on the hard
drive
DON’T BOOT FROM THE HARD DRIVE
– Boot from other media:
• Boot from floppy or CD
– Use new boot disks for each seizure
– Access hard drive as slave in another
machine
– Use write-protecting software or device
The only reason you will use the suspect hard
drive:
– To create an image of it.
18
III. Preserving the
Evidence (Continued)
Make a mirror image backup of the hard
drive
– Digital evidence can be duplicated with no
degradation from copy to copy.
– Authenticate the file system
Seal and safeguard the originals and work
with disk images
19
III. Preserving the
Evidence:
Examples of Imaging Tools
HARDWARE
SOFTWARE
Tape Drives
Removable Media
(Zip, Jaz, etc.)
Clone or Slave Drives
Network Servers
Optical Drives (CD-ROM,
Magneto-Optical, DVD, Etc.)
Disk Duplicators
Anadisk/Teledisk Image Idiskdup
Byte Back
Linux "dd"
Norton Ghost
SafeBack
EnCase
SnapBack DatArrest
20
III. Preserving the
Evidence:
Examples of Imaging Tools
(continued)
EnCase
(Guidance Software, Pasadena, CA)
– Imaging program -- makes an exact
image of the original hard drive.
– Provides authentication of the file
system
– “THE” standard commercial computer
forensic toolkit.
Norton Ghost
21
III. Preserving the
Evidence:
Chain of Custody
Chain of Custody
– Who obtained it?
– When / where was it
obtained?
– Who secured it and
how?
– Who controlled it after
being secured?
– Who accessed or
handled it?
– Fewer custodians is
better – less to testify
Evidence Tag
22
IV. Evidence Examination
Use a systematic approach
– Create an examination log
– Keep detailed notes
– Audio tape your examination
Admissibility:
– Must be relevant, reliable,
permissible
– Hearsay Rule
23
IV. Evidence Examination:
Finding the needle …
Discovering all files – including normal files,
deleted yet remaining files, hidden files, passwordprotected files, and encrypted files.
Recovering all (or as much as possible) of
deleted files.
Revealing the content of hidden files as well
as temporary files – ones used in both the
application programs and the operating system.
Accessing the contents of protected and
encrypted files – only if possible and legally
appropriate.
24
IV. Evidence Examination:
Finding the needle (continued)
Analyze all possibly relevant data – items found
in special and typically inaccessible areas of the disk
– Unallocated space on a disk – currently used,
but possibly the repository of previous data that is
relevant evidence
– Slack space in a file – the remnant area at the
end of a file in the last assigned disk cluster, that is
unused by current file data, but once again maybe
a possible site for previously created and relevant
evidence
Print out an overall analysis of the subject computer
system, as well as a listing of all possible relevant files and
discovered data files
25
IV. Evidence Examination:
Finding the needle: Deleted files
Often, evidence that the suspect no longer
believes is recoverable can be found on
the suspect’s computer.
File “Delete” does not necessarily remove
the file itself
An investigator can use the complete or
incomplete portions of “deleted” files to
obtain valuable evidence or leads in a
case
26
IV. Evidence Examination:
Deleted File Recovery Tools
Software
– Norton Unerase
– EnCase
Hardware
– Raw Disk
Readers
27
EnCase
28
Summary
Computer crime is more than hacking
Just because it’s deleted doesn’t
mean it’s gone
Don’t touch that computer! DO NOT
ACCESS FILES!
– Make copies -- examine copied files
Document EVERYTHING!
Maintain chain of custody
29
Acknowledgements
We would like to thank the
following for their assistance in the
preparation of this presentation:
– LSU students and alumni
• Patrick Blake, Erin Hopper, Jackson Kon,
Eric Smith, Xiaotao Wang
– LSU’s Computer Forensic Lab
30
Computer Forensics
Resources
Federal Guidelines for Search and Seizing Computers
http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm
FBI Handbook of Forensic Services
http://www.fbi.gov/hq/lab/handbook/intro.htm
Updates and Supplementary DOJ Information
http://www.usdoj.gov/criminal/cybercrime/searching.html
Computer Crimes Criminal Justice Links
http://www.co.pinellas.fl.us/bcc/juscoord/ecomputer.htm
Computer and Internet Security Links
http://www.virtuallibrarian.com/legal/
Forensics Science and Law Enforcement Links
http://www.ssc.msu.edu/~forensic/links.html
The National White Collar Crime Center
PC Forensics
http://www.pcforensics.com
Computer Forensics, Inc.
www.forensics.com
SC Magazine
www.scmagazine.com
31
Tim Louwers, Ph.D., CPA, CIA,
CISA
Kenny Reynolds, Ph.D., CISSP
Louisiana State University
Computer Crime
Types of Computer Crimes
– Hacking/cracking, network intrusion
– Computer virii
– Harassment and cyberstalking
– Industrial espionage, insider crimes
– Employee misconduct
– Child porn
– Pirated software
Basically, any crime that is aided or abetted
by a computer
2
Examples
Hackers reroute phone lines to guarantee
winning radio giveaway.
– Two Porsches and $30,000
Network Program Designer unleashes $10
million computer “bomb.”
– Bomb permanently deleted all of the company’s
sophisticated software programs.
Three Drexel frat brothers “fix” horse race
– Prosecutors called it a real-life version of "The
Sting" -- an insider exploiting a hole in
computer security to create a sure-thing horse
racing bet worth more than $3 million.
3
Computer Forensics Defined
“The employment of a set of predefined
procedures to thoroughly examine a computer
system using software and tools to extract and
preserve evidence of criminal activity.” --The
SANS (SysAdmin, Audit, Network, Security) Institute
“The application of computer investigation and
analysis techniques in the interests of
determining potential legal evidence." -- Judd
Robbins (Computer Forensics Investigator)
“The science of acquiring, preserving,
retrieving, and presenting data that has been
processed electronically and stored on computer
media.” – The Federal Bureau of Investigation
4
Computer Forensics
Computer is used as a storage media
-- evidence can be retrieved even
when the data is deleted.
Useful aid in law enforcement.
– Tracking terrorists
– Impeaching Presidents
– Tracing computer virus creators
Potential deterrent to computer
criminals?
5
Evidence that can be found
with Computer Forensic
Techniques
All existing data in the computer's directory
structure.
Any deleted files which have not yet been
overwritten by the operating system.
Deleted emails.
Pages recently printed on the suspect's printer.
Renamed files.
Application software.
Specific words, numbers, etc.
Recently accessed web sites.
Passwords to commonly used
programs/websites.
Password protected files.
6
I.
Search and Seizure:
4th Amendment: "Reasonable
Expectation of Privacy"
A search is constitutional if it does not
violate a person's "reasonable" or
"legitimate" expectation of privacy.
“Closed container” rule
– The Fourth Amendment generally prohibits law
enforcement from accessing and viewing
information stored in a computer without a
warrant if it would be prohibited from opening a
“closed container” (e.g., briefcase or file cabinet)
and examining its contents in the same situation.
7
I. Search and Seizure:
Intelligence Gathering
Is there a computer
in use?
What kind of
computer and
operating system?
What evidence do
you want?
How sophisticated is
the suspect?
8
I. Search and Seizure: The
• Control the scene
Raid
• Time the raid so that you have control.
• Control individuals
• Separate suspects from the equipment.
• Control others present even if they are not suspects.
• Identify potential evidence
• Know what you are looking for.
• Eliminate threats
• Assess the possibility that the system can be
controlled from a remote system...
• Eliminate this threat immediately!!!
9
II. Processing the
Scene
CRIME SCENE
CRIME SCENE
CRIME SCENE
10
II. Processing the Scene
(Continued)
Document! Document!! Document!!!
– The individual who occupies the office
– The name of the employees that may have
access to the office
– The location of the computer system in the
room
– The state of the system (whether it is powered
on, and what is visible on the screen)
– The people present at the time of the raid
– The serial number, models, and makes of the
hard drives and components of the system
– The peripherals attached to the systems
11
II. Processing the Scene
(Continued)
On-screen activity -- Power down or not?
Is the activity destructive?
– Yes -- Stops/Freezes further data loss if self-destructing software in use
Is there anything of evidentiary value?
– No -- You will lose anything that’s in memory
– Verify system info (date and time)
– Capture process listings and open files
12
II. Processing the Scene
(Continued)
Wear surgical gloves
Photograph
– Books
– Papers
– Notes
– Hardware
Note position of all manuals
Seize all manuals
Sketch entire PC, including
connections
13
II. Processing the Scene
(Continued)
Tag and label all physical
components and record
identifying information.
Clearly label components with a
"DON'T TOUCH OR OPERATE"
warning!
Only disassemble enough to
facilitate transport.
Pack and pad components in
boxes with static resistant
packing.
14
II. Processing the Scene
(Continued)
Identify Network connections (LAN,
WAN, DSL, Cable) and disable.
Tag both ends of all wires, even if
one end of the wire is not connected
to anything!
Be aware of wireless networks.
Disconnect phone and modem lines.
– Mark each line so you know where it
came from.
– Do NOT unplug power for memory
phones, fax machines, modems, caller
ID boxes.
15
III. Preserving the
Evidence
Typical kinds of evidence in computer
forensics
– Computer log files
• Successful and failed logins, website hits, access
logs, error logs, etc.
– Other access records
• Phone records, physical access logs
– E-mail communications
– Electronic storage media
• Hard drive, floppy disks, CDs, tapes, other media
– Hardcopy records
16
III. Preserving the
Evidence
Evidence Life Cycle:
–
–
–
–
–
Collection and Identification
Analysis
Storage, Preservation, Transportation
Presentation
Return (if applicable)
Thou shall not alter the evidence in any way. Ensure
that:
– No evidence is damaged, destroyed, or otherwise
compromised.
– Evidence is properly handled and protected
– Information which must remain private does so:
• Any client-attorney information that is inadvertently acquired
• Information which would require a warrant must have one
17
III. Preserving the
Evidence:
Protecting data on the hard
drive
DON’T BOOT FROM THE HARD DRIVE
– Boot from other media:
• Boot from floppy or CD
– Use new boot disks for each seizure
– Access hard drive as slave in another
machine
– Use write-protecting software or device
The only reason you will use the suspect hard
drive:
– To create an image of it.
18
III. Preserving the
Evidence (Continued)
Make a mirror image backup of the hard
drive
– Digital evidence can be duplicated with no
degradation from copy to copy.
– Authenticate the file system
Seal and safeguard the originals and work
with disk images
19
III. Preserving the
Evidence:
Examples of Imaging Tools
HARDWARE
SOFTWARE
Tape Drives
Removable Media
(Zip, Jaz, etc.)
Clone or Slave Drives
Network Servers
Optical Drives (CD-ROM,
Magneto-Optical, DVD, Etc.)
Disk Duplicators
Anadisk/Teledisk Image Idiskdup
Byte Back
Linux "dd"
Norton Ghost
SafeBack
EnCase
SnapBack DatArrest
20
III. Preserving the
Evidence:
Examples of Imaging Tools
(continued)
EnCase
(Guidance Software, Pasadena, CA)
– Imaging program -- makes an exact
image of the original hard drive.
– Provides authentication of the file
system
– “THE” standard commercial computer
forensic toolkit.
Norton Ghost
21
III. Preserving the
Evidence:
Chain of Custody
Chain of Custody
– Who obtained it?
– When / where was it
obtained?
– Who secured it and
how?
– Who controlled it after
being secured?
– Who accessed or
handled it?
– Fewer custodians is
better – less to testify
Evidence Tag
22
IV. Evidence Examination
Use a systematic approach
– Create an examination log
– Keep detailed notes
– Audio tape your examination
Admissibility:
– Must be relevant, reliable,
permissible
– Hearsay Rule
23
IV. Evidence Examination:
Finding the needle …
Discovering all files – including normal files,
deleted yet remaining files, hidden files, passwordprotected files, and encrypted files.
Recovering all (or as much as possible) of
deleted files.
Revealing the content of hidden files as well
as temporary files – ones used in both the
application programs and the operating system.
Accessing the contents of protected and
encrypted files – only if possible and legally
appropriate.
24
IV. Evidence Examination:
Finding the needle (continued)
Analyze all possibly relevant data – items found
in special and typically inaccessible areas of the disk
– Unallocated space on a disk – currently used,
but possibly the repository of previous data that is
relevant evidence
– Slack space in a file – the remnant area at the
end of a file in the last assigned disk cluster, that is
unused by current file data, but once again maybe
a possible site for previously created and relevant
evidence
Print out an overall analysis of the subject computer
system, as well as a listing of all possible relevant files and
discovered data files
25
IV. Evidence Examination:
Finding the needle: Deleted files
Often, evidence that the suspect no longer
believes is recoverable can be found on
the suspect’s computer.
File “Delete” does not necessarily remove
the file itself
An investigator can use the complete or
incomplete portions of “deleted” files to
obtain valuable evidence or leads in a
case
26
IV. Evidence Examination:
Deleted File Recovery Tools
Software
– Norton Unerase
– EnCase
Hardware
– Raw Disk
Readers
27
EnCase
28
Summary
Computer crime is more than hacking
Just because it’s deleted doesn’t
mean it’s gone
Don’t touch that computer! DO NOT
ACCESS FILES!
– Make copies -- examine copied files
Document EVERYTHING!
Maintain chain of custody
29
Acknowledgements
We would like to thank the
following for their assistance in the
preparation of this presentation:
– LSU students and alumni
• Patrick Blake, Erin Hopper, Jackson Kon,
Eric Smith, Xiaotao Wang
– LSU’s Computer Forensic Lab
30
Computer Forensics
Resources
Federal Guidelines for Search and Seizing Computers
http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm
FBI Handbook of Forensic Services
http://www.fbi.gov/hq/lab/handbook/intro.htm
Updates and Supplementary DOJ Information
http://www.usdoj.gov/criminal/cybercrime/searching.html
Computer Crimes Criminal Justice Links
http://www.co.pinellas.fl.us/bcc/juscoord/ecomputer.htm
Computer and Internet Security Links
http://www.virtuallibrarian.com/legal/
Forensics Science and Law Enforcement Links
http://www.ssc.msu.edu/~forensic/links.html
The National White Collar Crime Center
PC Forensics
http://www.pcforensics.com
Computer Forensics, Inc.
www.forensics.com
SC Magazine
www.scmagazine.com
31