bh-win-01-mobley.ppt 1556KB Jun 23 2011 12:10:06 PM
Computer Forensics,
The Investigators Persepective
Paul T. Mobley Sr. ([email protected])
Computer Forensics Consultant
Jawz Inc.
What is Computer Forensics?
Computer Forensics can be defined simply,
as a process of applying scientific and
analytical techiniques to computer
Operating Systems and File Structures in
determining the potential for Legal
Evidence.
Overview of Presentation
• Why is Evidence identification and
Preservation required?
• Who benefits from Computer Forensics?
• General Types of Forensic Examinations
requested.
• Process of Forensics.
• Tools of the trade.
• What is the Examiner looking for?
Why is Evidence important?
• In the legal world, Evidence is
EVERYTHING.
• Evidence is used to establish facts.
• The Forensic Examiner is not biased.
Who needs Computer Forensics?
•
•
•
•
The Vicitm!
Law Enforcement
Insurance Carriers
Ultimately the Legal System
Who are the Victims?
•Private Business
•Government
•Private Individuals
Reasons for a Forensic Analysis
• ID the perpetrator.
• ID the method/vulnerability of the
network that allowed the perpetrator to
gain access into the system.
• Conduct a damage assessment of the
victimized network.
• Preserve the Evidence for Judicial action.
Types of Forensic Requests
•
•
•
•
•
•
Intrusion Analysis
Damage Assement
Suspect Examination
Tool Analysis
Log File Analysis
Evidence Search
Intrusion Analysis
•
•
•
•
•
•
Who gained entry?
What did they do?
When did this happen?
Where did they go?
Why the chosen network?
How did they do this?
Damage Assesment
•
•
•
•
What was available for the intruder to see?
What did he take?
What did he leave behind?
Where did he go?
File Recovery
•
•
•
•
•
•
•
Deleted Files
Hidden Files
Slack Space
Bad Blocks
Steganography
X-Drives
NTFS Streams
NTFS Streams
The Forensic ToolKit 1.4 from NT OBJECTives, Inc.
Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved
AFind - File access time finder
SFind - Hidden data streams finder
HFind - Hidden file finder
Tool Analysis
•
•
•
•
What tools were used?
How were the executed?
What language were they written in?
File Comparison with Suspect’s File.
Log File Analysis
•
•
•
•
•
•
Events.
What Events are monitored?
What do the event records reveal?
Firewall/Router/Server log files?
TripWire Database?
Modem/FTP/Telnet/RAS
Evidence Search
•
•
•
•
•
•
•
•
Image Files
Software applications
Deleted Files
Hidden Files
Encrypted Files
Hidden partitions
Keyword Search
Known Remote Access Tools
Forensics Process
•
•
•
•
•
Preparation
Protection
Imaging
Examination
Documentation
Preparation
• Confirm the authority to conduct analysis/search of
media.
• Verify the purpose of the analysis and the clearly defined
desired results.
• Ensure that sterile media is available and utilized for
imaging. (ie..Free of virus, Non-essential files, and
verified before use.)
• Ensure that all software tools utilized for the analysis are
tested and widely accepted for use in the forensics
community.
Legal Overview
Employer Searches in Private-Sector Workplaces
Warrantless workplace searches by private
employers rarely violate the Fourth Amendment. So long
as the employer is not acting as an instrument or agent of
the Government at the time of the search, the search is a
private search and the Fourth Amendment does not
apply. See Skinner v. Railway Labor Executives’ Ass’n,
489 U.S. 602, 614 (1989).
•Consult with your Legal Counsel
Protection
• Protect the integrity of the evidence.
Maintain control until final disposition.
• Prior to Booting target computer,
DISCONNECT HDD and verify CMOS.
• When Booting a machine for Analysis,
utilize HD Lock software.
•Typical CBD Files
Imaging
• Utilize disk “imaging” software to make an
exact image of the target media. Verify the
image.
• When conducting an analysis of target
media, utilize the restored image of the
target media; never utilize the actual target
media.
•Imaging
Software
Examination
•
•
•
•
•
•
•
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
Examination Continued
•
•
•
•
•
•
•
Deleted/Hidden Files/NTFS Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
SIDS
Network Architecture/Trusted Relationships
Off-Site Storage
•
•
•
•
“X-Drives”
FTP Links
FTP Logs
Shares on internal networks
Security Identifers
•SIDS can be used to ID the perpetrator.
•Security is used within Win2K to ID a user.
•Security is applied to the SID.
Where to find the SID
SID Structure
• Domain Identifier: All values in the series,
excluding the last value ID the Domain.
• Relative Identifier (RID) is the last value.
This ID’S the Account or Group
• S-1-5-21-838281932-18373095651144153901-1000
Documentation
•
•
•
•
Document EVERYTHING
Reason for Examination
“The Scene”
Utilize Screen Capture/Copy Suspected
files
• All apps for Analysis/apps on Examined
system.
Users
Closing
• Forensic Techniques are based on the File
System of the media to be examined
• Utilizing an NTFS partition enhances
security. If further increases the Forensic
examiners chances of recovering useful
evidence.
• The Investigator is looking for evidence to
establish a FACT(s).
The Investigators Persepective
Paul T. Mobley Sr. ([email protected])
Computer Forensics Consultant
Jawz Inc.
What is Computer Forensics?
Computer Forensics can be defined simply,
as a process of applying scientific and
analytical techiniques to computer
Operating Systems and File Structures in
determining the potential for Legal
Evidence.
Overview of Presentation
• Why is Evidence identification and
Preservation required?
• Who benefits from Computer Forensics?
• General Types of Forensic Examinations
requested.
• Process of Forensics.
• Tools of the trade.
• What is the Examiner looking for?
Why is Evidence important?
• In the legal world, Evidence is
EVERYTHING.
• Evidence is used to establish facts.
• The Forensic Examiner is not biased.
Who needs Computer Forensics?
•
•
•
•
The Vicitm!
Law Enforcement
Insurance Carriers
Ultimately the Legal System
Who are the Victims?
•Private Business
•Government
•Private Individuals
Reasons for a Forensic Analysis
• ID the perpetrator.
• ID the method/vulnerability of the
network that allowed the perpetrator to
gain access into the system.
• Conduct a damage assessment of the
victimized network.
• Preserve the Evidence for Judicial action.
Types of Forensic Requests
•
•
•
•
•
•
Intrusion Analysis
Damage Assement
Suspect Examination
Tool Analysis
Log File Analysis
Evidence Search
Intrusion Analysis
•
•
•
•
•
•
Who gained entry?
What did they do?
When did this happen?
Where did they go?
Why the chosen network?
How did they do this?
Damage Assesment
•
•
•
•
What was available for the intruder to see?
What did he take?
What did he leave behind?
Where did he go?
File Recovery
•
•
•
•
•
•
•
Deleted Files
Hidden Files
Slack Space
Bad Blocks
Steganography
X-Drives
NTFS Streams
NTFS Streams
The Forensic ToolKit 1.4 from NT OBJECTives, Inc.
Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved
AFind - File access time finder
SFind - Hidden data streams finder
HFind - Hidden file finder
Tool Analysis
•
•
•
•
What tools were used?
How were the executed?
What language were they written in?
File Comparison with Suspect’s File.
Log File Analysis
•
•
•
•
•
•
Events.
What Events are monitored?
What do the event records reveal?
Firewall/Router/Server log files?
TripWire Database?
Modem/FTP/Telnet/RAS
Evidence Search
•
•
•
•
•
•
•
•
Image Files
Software applications
Deleted Files
Hidden Files
Encrypted Files
Hidden partitions
Keyword Search
Known Remote Access Tools
Forensics Process
•
•
•
•
•
Preparation
Protection
Imaging
Examination
Documentation
Preparation
• Confirm the authority to conduct analysis/search of
media.
• Verify the purpose of the analysis and the clearly defined
desired results.
• Ensure that sterile media is available and utilized for
imaging. (ie..Free of virus, Non-essential files, and
verified before use.)
• Ensure that all software tools utilized for the analysis are
tested and widely accepted for use in the forensics
community.
Legal Overview
Employer Searches in Private-Sector Workplaces
Warrantless workplace searches by private
employers rarely violate the Fourth Amendment. So long
as the employer is not acting as an instrument or agent of
the Government at the time of the search, the search is a
private search and the Fourth Amendment does not
apply. See Skinner v. Railway Labor Executives’ Ass’n,
489 U.S. 602, 614 (1989).
•Consult with your Legal Counsel
Protection
• Protect the integrity of the evidence.
Maintain control until final disposition.
• Prior to Booting target computer,
DISCONNECT HDD and verify CMOS.
• When Booting a machine for Analysis,
utilize HD Lock software.
•Typical CBD Files
Imaging
• Utilize disk “imaging” software to make an
exact image of the target media. Verify the
image.
• When conducting an analysis of target
media, utilize the restored image of the
target media; never utilize the actual target
media.
•Imaging
Software
Examination
•
•
•
•
•
•
•
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
Examination Continued
•
•
•
•
•
•
•
Deleted/Hidden Files/NTFS Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
SIDS
Network Architecture/Trusted Relationships
Off-Site Storage
•
•
•
•
“X-Drives”
FTP Links
FTP Logs
Shares on internal networks
Security Identifers
•SIDS can be used to ID the perpetrator.
•Security is used within Win2K to ID a user.
•Security is applied to the SID.
Where to find the SID
SID Structure
• Domain Identifier: All values in the series,
excluding the last value ID the Domain.
• Relative Identifier (RID) is the last value.
This ID’S the Account or Group
• S-1-5-21-838281932-18373095651144153901-1000
Documentation
•
•
•
•
Document EVERYTHING
Reason for Examination
“The Scene”
Utilize Screen Capture/Copy Suspected
files
• All apps for Analysis/apps on Examined
system.
Users
Closing
• Forensic Techniques are based on the File
System of the media to be examined
• Utilizing an NTFS partition enhances
security. If further increases the Forensic
examiners chances of recovering useful
evidence.
• The Investigator is looking for evidence to
establish a FACT(s).