CSI GAETC Introduction to Forensics and Data Recovery
Introduction to
Computer Forensics
Brent Williams
MSTM, CWNA, CWSP, CNE, MCSE, A+, N+
KSU ETTC
Slides at: www.speakwisdom.com
brent@speakwisdom.com
Caveat
• I am not dispensing legal advice
• Use what you hear, read, and do at
your own risk
• Consult with your legal advisor when
conducting an investigation
The Need for
Computer Forensics
The Need for
Computer Forensics
• Anyone can access anything via the
internet
• Students, faculty, staff and parents
doing bad stuff!
• Technology is more sophisticated
– Faster
– More portable
• Schools have perceived responsibility
Concerns
• Pornography
– Child Pornography
• Emails
– Threatening
– Relationship related
• Instant Messages
• Web sites (MySpace)
– Bullying
– Faculty pages
Bringing Things to School
• Flash Memory Devices
• Containing what?
PDA’s and Cell Phones
• Palm
– Fading?
– Lots of aps and storage (flash)
– Infrared and BlueTooth beaming
• Windows Mobile
–
–
–
–
–
Lots of storage (flash)
Familiar interface
Easily networked (WiFi, Bluetooth)
View photos and movies
Capture images, sound
More
Threats
• Downloads
– To School PCs
• CDs/DVDs
• Social Networking Sites
– FaceBook
– MySpace
• Phishing
– Emails & Web sites
Objectives
• Gain Basic Knowledge
– What is Computer Forensics?
– Concepts
– Procedures
– What Not to Do?
– What to do Next?
• Learn some basic techniques
• Raise level of awareness
Do You Have a Duty
To Report?
• Yes, if you suspect a crime has been
committed
• Yes, if you suspect “sexual
exploitation” including conduct
involving child pornography.
• Once you bring in police, you stop
forensic work.
Kinds of Forensics
• PC/Laptop
– Files, email, internet activity
• Device
– Cell phone
– PDA
– MP3 Player (iPod!)
• Network
– Internet traffic
– Local/wireless traffic
Places
• High Technology Crime Investigation
Association
– www.htcia.org
• Atlanta HTCIA
– www.atlhtcia.org
• Southeast Cybercrime Summit
– www.southeastcybercrimesummit.com
Places
• Access Data (FTK)
– www.accessdata.com
• X-Ways Forensics (winhex)
– www.x-ways.com
• ProDiscover
– www.techpathways.com
• Helix
– www.e-fense.com
Certification
• Certified Computer Examiner
– http://www.certified-computerexaminer.com/index.html
• More
– Google search “computer forensics”
• Books
– Plenty!
– Check Amazon, BN, etc.
Preparation
What to Do Before You Start
You need the right people!
Build a Response Team
• Cover all bases
– Legal, Technical, Law Enforcement, PR
• Attorney or Legal Advisor
• Strong “Geek”
– Vast knowledge required
• School Law Enforcement Person,
Local Police
• Public Relations
Incident Response Plan
• Response plan
– Who is called?
– How others are notified?
• Clear process
– Who has responsibility for what?
– Decision Points
• Policy issue / Legal issue
• Coordinate with law enforcement
– As appropriate
Someone Must
Know Your Hardware & Software
•
•
•
•
•
•
•
•
•
Servers
Workstations
PDAs
CD-ROM, CD/DVD
Webcams
Modems
Key Loggers
USB Devices
Wireless
• Windows
– 9x, 2000, 2003, XP
•
•
•
•
•
•
Unix/Linux
OS X
DOS
FAT
NTFS
EXT2/EXT3
Someone Must Know
Auditing and Logging
• Know where OS keep logs
• Know kinds of OS logs
– Windows
• Event viewer
• Auditing
• Date and time of device
• Date and time of log entries
• File/Directory date & time stamps
Computer Evidence
Will this End Up in Court?
• Assume your case will!
• Courts require ample unaltered
evidence
• Evidence must be processed properly
• Specially trained team should always
conduct investigation
Main Emphasis of Forensics
• Identify the Evidence
• Determine how to preserve the
evidence
• Extract, process, and interpret the
evidence
• Ensure that the evidence is
acceptable in a court of law
Evidence
• Computer evidence is fragile
• Courts know that digital evidence is
easily planted/altered
• You must be able to show that
evidence is pristine and unmodified!
• See www.cybercrime.gov
Evidence
• Can include any form of electronic data
• Can include devices
–
–
–
–
–
–
Computers
CD-ROMs
Floppies
Cellular Telephones
Pagers
Digital Cameras
Rules
• More latitude in schools/businesses
– Internal processes
– Governed by policy documents
– Expectation of privacy
• Law enforcement works under more
restrictive rules
– Subpoenas & search warrants
– Chain of command
– Agency boundaries
What to “Prosecute”?
• Harm inflicted?
• Violation of Written Policy?
• Policy communicated to
teacher/student/parents?
• Investigation conducted by trained
personnel?
• Successful investigation?
Problem in
School Systems
• Security and Forensics projects don’t
generate revenue
– Or FTEs
• Hard to get “higher up” to understand
need
– Until superintendent and board picture is in
the paper
• Money for training
• Politics of position
Training
• Training team is essential
• They need to
– Learn basic procedures
– Gain expertise in technical areas
• Sufficient Personal Interest?
– Get Certified
– Get degree
End User Training
• Users need to be aware
–
–
–
–
–
–
School System Policies
Requirements to guard information
Laws
Awareness Illegal Activities
Social Engineering
Spyware
• Consider Yearly Seminar
• Splash Screen
Investigation
Do It Right!
• Photograph system scene
• Take Notes (two present)
• Get the basics
–
–
–
–
System Model/SN
HD model and SN
System Date/Time
Bios BOOT info
• Power Down (pull plug)
– Laptop – Pull battery
Evidence Gathering
• Have secure-erased drives ready
• Get Suspect Drive Image
– Attach a write-blocker
– Get two or more images of the drive
• Seal original drive
– Place a copy of the drive back in the PC
(if appropriate)
• Original drive should be locked away
• Control Chain of Custody
Capturing the
Data Image
Preparing an Evidence Drive
• Use USB drive case
Preparing an Evidence Drive
• Use large drives
• Have several
• Secure-erase all drives
– Record date, time, and method
• Store in locked area
• Software to Secure Erase?
– Helix
– WinHex Pro
– ProDiscover
Prepare Evidence Drive
– Connect to Analysis PC
– WinHex Pro
•Select Physical Media (not
Logical Drive)
•Edit / Fill Sectors / hex 00
•Will take several minutes
– (25 min for 40Gb)
Image Options
• Boot suspect PC with Helix
– Easiest for laptops
• Attach USB evidence drive
• Use AIR or similar tool to image drive
Image Options
• Remove HD from Suspect, place as
Slave in Analysis PC
– Use Write Blocker
• Remove HD from PC, place in USB
Case
– Use Write Blocker
• Protect the original!
Image Options
• Get image
– Multiple copies
• Image Type
– Drive to Drive
– Drive to Image File (DD)
Sources for Write Blockers
• www.digitalintelligence.com
• www.blackbagtech.com
• www.forensicpc.com
Other Image Options
• Use USB Evidence Drive
– Boot PC with Knoppix or Helix CD
– Open terminal window
– dd if=/dev/hda of=/dev/sda
– Speed: 1 hour per GB
– Boot PC with Helix CD
– Open terminal window
– Dcfldd if=/dev/hda of=/dev/sda
– Speed: 4 min per GB
Other Image Options
– GHOST!
• Boot with BartPE CD
– Open command window
– Ghost32 –ir –fnf
– (Image Raw, No Fingerprint)
– Speed: 2 min per GB
– GHOST!
• Version 7.5 or later
• Boot with Ghost Floppy
– Ghost –ir -fnf
What is the Hash?
• Used to verify that image is accurate
• MD5 suspect drive or partition
• MD5 image
• Should match
• Record!
Extracting
Information from Data
Analysis
• Work on Image, not Original
• Time Consuming!
• Tools Allow
– Finding deleted files
• Images
• Email
• IE cache
– Searching for text (“drugs”, etc.)
– Show Hidden Files
– Show Hidden Partitions or Drives
Definitions
• Unallocated Space
– Space never used on a hard drive
– Space made available by deleted files
• Slack Space
– Space in a cluster not used by file data
1. Examine Suspect HD
• Boot Suspect PC with Helix
• Hidden Drive? (QTPARTED)
• Browse with File Manager
– See images, open documents
– See hidden partition
• Use Retriever
– Path \media\sda1
– Find images
1a. Examine USB Evidence
Drive Image in Windows
• Use Windows Disk Management MMC
to look at Partition
• MyComputer
• Search
• Wrong Extension?
• Encrypted?
• MS TweakUI
– Can be used to hide drive letters
2. Find Images
• (Not Deleted)
• ExifPro
• Easy
3. Find Deleted Files
• Great tool, easy to use
4. Examine in Windows
• Examine PC with Helix Windows
– System Information
• Drive letter discrepancy?
– Incident Response
• Windows Forensics Toolchest
• Security Reports
• (others want NetCat)
– Scan for Images
• (no path information)
– Windows Search (for files)
– Disk Management (for drives, partitions)
WinHex
• Open .dd file
• Specialist
– Interpret file as disk
• View all .jpg’s in file system
– Tools, Disk Tools, Explore Recursively
– You can add path column
• Look for .dbx files
WinHex
• Find .jpg’s in Unallocated space
– Tools, Disk Tools, File Recovery by Type
• Find text in files
– Search, Find Text (or Simultaneous
Search)
Email - Outlook Express
• Local Settings\Application
Data\Identities\…\Microsoft\Outlook
Express
• OE Reader (free)
• Mail stored in .dbx files
• Similar tools for Outlook .pst files
Passwords and Encryption
Passwords and Encryption
• NTPassword
– http://home.eunet.no/pnordahl/ntpas
swd/
• Password Tools
– http://www.passwordportal.net/
– http://www.brothersoft.com/downloa
ds/crack-password.html
– http://www.elcomsoft.com/index.html
– http://www.accessdata.com/
Steganography and
Keystroke Logging
• Steganography
– Try Steganote
• Keystroke logging
– Try 007Starr
Common
Forensics Tools
PRODISCOVER
• Create Case
• Add Image
• Content View
– Examine Deleted Files
•Click check box on interesting file
•Make comment
•Gallery view
PRODISCOVER
• Content Search
– Search for pattern
• Drugs, sex, etc.
– Click Search Results
• Finds anything: docs and email!
• Search for *.jpg
PRODISCOVER
• What about files with wrong ext?
– Pick Folder on Left Side
– Tools – Signature Matching
– Export Report
Pulling It
All Together
You are now…
Dangerous!
Keep Going!
Questions?
Thank you!
www.speakwisdom.com
Computer Forensics
Brent Williams
MSTM, CWNA, CWSP, CNE, MCSE, A+, N+
KSU ETTC
Slides at: www.speakwisdom.com
brent@speakwisdom.com
Caveat
• I am not dispensing legal advice
• Use what you hear, read, and do at
your own risk
• Consult with your legal advisor when
conducting an investigation
The Need for
Computer Forensics
The Need for
Computer Forensics
• Anyone can access anything via the
internet
• Students, faculty, staff and parents
doing bad stuff!
• Technology is more sophisticated
– Faster
– More portable
• Schools have perceived responsibility
Concerns
• Pornography
– Child Pornography
• Emails
– Threatening
– Relationship related
• Instant Messages
• Web sites (MySpace)
– Bullying
– Faculty pages
Bringing Things to School
• Flash Memory Devices
• Containing what?
PDA’s and Cell Phones
• Palm
– Fading?
– Lots of aps and storage (flash)
– Infrared and BlueTooth beaming
• Windows Mobile
–
–
–
–
–
Lots of storage (flash)
Familiar interface
Easily networked (WiFi, Bluetooth)
View photos and movies
Capture images, sound
More
Threats
• Downloads
– To School PCs
• CDs/DVDs
• Social Networking Sites
– MySpace
• Phishing
– Emails & Web sites
Objectives
• Gain Basic Knowledge
– What is Computer Forensics?
– Concepts
– Procedures
– What Not to Do?
– What to do Next?
• Learn some basic techniques
• Raise level of awareness
Do You Have a Duty
To Report?
• Yes, if you suspect a crime has been
committed
• Yes, if you suspect “sexual
exploitation” including conduct
involving child pornography.
• Once you bring in police, you stop
forensic work.
Kinds of Forensics
• PC/Laptop
– Files, email, internet activity
• Device
– Cell phone
– PDA
– MP3 Player (iPod!)
• Network
– Internet traffic
– Local/wireless traffic
Places
• High Technology Crime Investigation
Association
– www.htcia.org
• Atlanta HTCIA
– www.atlhtcia.org
• Southeast Cybercrime Summit
– www.southeastcybercrimesummit.com
Places
• Access Data (FTK)
– www.accessdata.com
• X-Ways Forensics (winhex)
– www.x-ways.com
• ProDiscover
– www.techpathways.com
• Helix
– www.e-fense.com
Certification
• Certified Computer Examiner
– http://www.certified-computerexaminer.com/index.html
• More
– Google search “computer forensics”
• Books
– Plenty!
– Check Amazon, BN, etc.
Preparation
What to Do Before You Start
You need the right people!
Build a Response Team
• Cover all bases
– Legal, Technical, Law Enforcement, PR
• Attorney or Legal Advisor
• Strong “Geek”
– Vast knowledge required
• School Law Enforcement Person,
Local Police
• Public Relations
Incident Response Plan
• Response plan
– Who is called?
– How others are notified?
• Clear process
– Who has responsibility for what?
– Decision Points
• Policy issue / Legal issue
• Coordinate with law enforcement
– As appropriate
Someone Must
Know Your Hardware & Software
•
•
•
•
•
•
•
•
•
Servers
Workstations
PDAs
CD-ROM, CD/DVD
Webcams
Modems
Key Loggers
USB Devices
Wireless
• Windows
– 9x, 2000, 2003, XP
•
•
•
•
•
•
Unix/Linux
OS X
DOS
FAT
NTFS
EXT2/EXT3
Someone Must Know
Auditing and Logging
• Know where OS keep logs
• Know kinds of OS logs
– Windows
• Event viewer
• Auditing
• Date and time of device
• Date and time of log entries
• File/Directory date & time stamps
Computer Evidence
Will this End Up in Court?
• Assume your case will!
• Courts require ample unaltered
evidence
• Evidence must be processed properly
• Specially trained team should always
conduct investigation
Main Emphasis of Forensics
• Identify the Evidence
• Determine how to preserve the
evidence
• Extract, process, and interpret the
evidence
• Ensure that the evidence is
acceptable in a court of law
Evidence
• Computer evidence is fragile
• Courts know that digital evidence is
easily planted/altered
• You must be able to show that
evidence is pristine and unmodified!
• See www.cybercrime.gov
Evidence
• Can include any form of electronic data
• Can include devices
–
–
–
–
–
–
Computers
CD-ROMs
Floppies
Cellular Telephones
Pagers
Digital Cameras
Rules
• More latitude in schools/businesses
– Internal processes
– Governed by policy documents
– Expectation of privacy
• Law enforcement works under more
restrictive rules
– Subpoenas & search warrants
– Chain of command
– Agency boundaries
What to “Prosecute”?
• Harm inflicted?
• Violation of Written Policy?
• Policy communicated to
teacher/student/parents?
• Investigation conducted by trained
personnel?
• Successful investigation?
Problem in
School Systems
• Security and Forensics projects don’t
generate revenue
– Or FTEs
• Hard to get “higher up” to understand
need
– Until superintendent and board picture is in
the paper
• Money for training
• Politics of position
Training
• Training team is essential
• They need to
– Learn basic procedures
– Gain expertise in technical areas
• Sufficient Personal Interest?
– Get Certified
– Get degree
End User Training
• Users need to be aware
–
–
–
–
–
–
School System Policies
Requirements to guard information
Laws
Awareness Illegal Activities
Social Engineering
Spyware
• Consider Yearly Seminar
• Splash Screen
Investigation
Do It Right!
• Photograph system scene
• Take Notes (two present)
• Get the basics
–
–
–
–
System Model/SN
HD model and SN
System Date/Time
Bios BOOT info
• Power Down (pull plug)
– Laptop – Pull battery
Evidence Gathering
• Have secure-erased drives ready
• Get Suspect Drive Image
– Attach a write-blocker
– Get two or more images of the drive
• Seal original drive
– Place a copy of the drive back in the PC
(if appropriate)
• Original drive should be locked away
• Control Chain of Custody
Capturing the
Data Image
Preparing an Evidence Drive
• Use USB drive case
Preparing an Evidence Drive
• Use large drives
• Have several
• Secure-erase all drives
– Record date, time, and method
• Store in locked area
• Software to Secure Erase?
– Helix
– WinHex Pro
– ProDiscover
Prepare Evidence Drive
– Connect to Analysis PC
– WinHex Pro
•Select Physical Media (not
Logical Drive)
•Edit / Fill Sectors / hex 00
•Will take several minutes
– (25 min for 40Gb)
Image Options
• Boot suspect PC with Helix
– Easiest for laptops
• Attach USB evidence drive
• Use AIR or similar tool to image drive
Image Options
• Remove HD from Suspect, place as
Slave in Analysis PC
– Use Write Blocker
• Remove HD from PC, place in USB
Case
– Use Write Blocker
• Protect the original!
Image Options
• Get image
– Multiple copies
• Image Type
– Drive to Drive
– Drive to Image File (DD)
Sources for Write Blockers
• www.digitalintelligence.com
• www.blackbagtech.com
• www.forensicpc.com
Other Image Options
• Use USB Evidence Drive
– Boot PC with Knoppix or Helix CD
– Open terminal window
– dd if=/dev/hda of=/dev/sda
– Speed: 1 hour per GB
– Boot PC with Helix CD
– Open terminal window
– Dcfldd if=/dev/hda of=/dev/sda
– Speed: 4 min per GB
Other Image Options
– GHOST!
• Boot with BartPE CD
– Open command window
– Ghost32 –ir –fnf
– (Image Raw, No Fingerprint)
– Speed: 2 min per GB
– GHOST!
• Version 7.5 or later
• Boot with Ghost Floppy
– Ghost –ir -fnf
What is the Hash?
• Used to verify that image is accurate
• MD5 suspect drive or partition
• MD5 image
• Should match
• Record!
Extracting
Information from Data
Analysis
• Work on Image, not Original
• Time Consuming!
• Tools Allow
– Finding deleted files
• Images
• IE cache
– Searching for text (“drugs”, etc.)
– Show Hidden Files
– Show Hidden Partitions or Drives
Definitions
• Unallocated Space
– Space never used on a hard drive
– Space made available by deleted files
• Slack Space
– Space in a cluster not used by file data
1. Examine Suspect HD
• Boot Suspect PC with Helix
• Hidden Drive? (QTPARTED)
• Browse with File Manager
– See images, open documents
– See hidden partition
• Use Retriever
– Path \media\sda1
– Find images
1a. Examine USB Evidence
Drive Image in Windows
• Use Windows Disk Management MMC
to look at Partition
• MyComputer
• Search
• Wrong Extension?
• Encrypted?
• MS TweakUI
– Can be used to hide drive letters
2. Find Images
• (Not Deleted)
• ExifPro
• Easy
3. Find Deleted Files
• Great tool, easy to use
4. Examine in Windows
• Examine PC with Helix Windows
– System Information
• Drive letter discrepancy?
– Incident Response
• Windows Forensics Toolchest
• Security Reports
• (others want NetCat)
– Scan for Images
• (no path information)
– Windows Search (for files)
– Disk Management (for drives, partitions)
WinHex
• Open .dd file
• Specialist
– Interpret file as disk
• View all .jpg’s in file system
– Tools, Disk Tools, Explore Recursively
– You can add path column
• Look for .dbx files
WinHex
• Find .jpg’s in Unallocated space
– Tools, Disk Tools, File Recovery by Type
• Find text in files
– Search, Find Text (or Simultaneous
Search)
Email - Outlook Express
• Local Settings\Application
Data\Identities\…\Microsoft\Outlook
Express
• OE Reader (free)
• Mail stored in .dbx files
• Similar tools for Outlook .pst files
Passwords and Encryption
Passwords and Encryption
• NTPassword
– http://home.eunet.no/pnordahl/ntpas
swd/
• Password Tools
– http://www.passwordportal.net/
– http://www.brothersoft.com/downloa
ds/crack-password.html
– http://www.elcomsoft.com/index.html
– http://www.accessdata.com/
Steganography and
Keystroke Logging
• Steganography
– Try Steganote
• Keystroke logging
– Try 007Starr
Common
Forensics Tools
PRODISCOVER
• Create Case
• Add Image
• Content View
– Examine Deleted Files
•Click check box on interesting file
•Make comment
•Gallery view
PRODISCOVER
• Content Search
– Search for pattern
• Drugs, sex, etc.
– Click Search Results
• Finds anything: docs and email!
• Search for *.jpg
PRODISCOVER
• What about files with wrong ext?
– Pick Folder on Left Side
– Tools – Signature Matching
– Export Report
Pulling It
All Together
You are now…
Dangerous!
Keep Going!
Questions?
Thank you!
www.speakwisdom.com