Cyber Chain of Custody. Acquisition. Cyber Chain of Custody. Evidence Dynamics and the Introduction of Error. Must Be Proven!

Transcription

1 Acquisition Cyber Chain of Custody Week 2 Protect the data from the Investigator Cyber Chain of Custody Cyber Chain of Custody Just like regular evidence, e- evidence must adhere to a Chain of Custody The challenges with e- evidence is that is easily damaged and changed Data is subject to physical corruption just like classic evidence e.g. dropped, fire, water, etc It is also subject to being changed in subtle ways by hardware and software So, special care is required at all stages of an investigation 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Evidence Dynamics and the Introduction of Error Offenders, victims, first responders, digital evidence examiners and anyone else who had access to digital evidence prior to its preservation can cause change evidence Media containing digital evidence can deteriorate over time or exposed to fire, water, toxic chemicals. Must Be Proven! No information has been added, deleted, or altered in the copying process or during analysis A complete copy was made and verified A reliable copying process was used All media was secured All data that should have been copied had been copied 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

2 Chain of Custody Procedures Chain of Custody Procedures Handling of e-evidence must follow the Three C s of Evidence care control chain of custody Keep an evidence log that shows when evidence was received, seized, and located Record dates if items are released to anyone Restrict access to evidence Place original hard drive in an evidence locker Perform all forensics on a mirror-image copy, never on the original data 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Document and Collect Data Investigation Objectives and Chain of Custody Practices Documentation needs to be precise and organized Document each of the following: location, date, time, witnesses system information, including manufacturer, serial number, model, and components status of the computer, such as whether it was running and what was connected to it physical evidence collected Investigation Objectives Document the scene, evidence, activities, and findings Acquire the evidence Authenticate the copy Chain of Custody Practices Document everything that is done; keep detailed records and photographs, etc. Collect and preserve the original data, and create an exact copy Verify that the copy is identical to the original 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Investigation Objectives and Chain of Custody Practices Report Procedures Investigation Objectives Analyze and filter the evidence Be objective and unbiased Present the evidence/evaluation in a legally acceptable manner Chain of Custody Practices Perform the technical analysis while retaining its integrity Ensure that the evaluation is fair and impartial to the person or people being investigated Interpret and report the results correctly 1. All reports of the investigation should be prepared with the understanding that they will be read by others 2. The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations 3. Only the facts of the investigation should be presented; opinions should be avoided 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

3 Certification and Training Programs EnCE EnCase Certified Examiner Global Information Assurance Certification (GIAC) Computer Hacking Forensic Investigator (CHFI) Computer Forensic External Certification (CCE) Forensic Copies You are unique, and so am I 7/17/2018 Sacramento State - Cook - CSc Summer Create a Drive Image Create a Drive Image Original data must be protected from any type of alteration To protect original data, analysis should be performed on a forensic copy of the original drive or device There are different ways of making forensic copies Examples: Drive imaging or mirror imaging Sector-by-sector or bit-stream imaging 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Acquiring a Forensic Copy Hashes Use a forensically wiped hard drive for copying A simple, single, format is not acceptable To insure there is no data left the drive must be wiped several times 3 to 5 times by DoD standards this can take a long, long time There must be a reliable method of verifying that the original and the copies are identical A hash is a mathematical function that will give a unique value for any piece of data Hashes are routinely used by password systems and to determine if two volumes are forensically identical 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

4 Hashes Evidence Integrity A hash is like a computer data fingerprint If two files are different they will not have the same hash value for most algorithms, the hash values will be different even if a single bit is different Hashing algorithms are accepted as reliable methods for determining whether two blocks of data (file, drive, etc.) are identical to the bit level Common Hashes Cyclic Redundancy Check (CRC) Message Digest (MD5) Secure Hash Algorithm (SHA-160, SHA-256) 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Where Used Safeback WinHex Forensic EnCase Forensic Toolkit (FTK) Snapback DataArrest Byte Back Advanced Data Acquisition Its Not A Simple as Taking a Body 7/17/2018 Sacramento State - Cook - CSc Summer Data Acquisition Exceptions to the "Copy Rule" Data is easy to change and damage So, acquisition must be done with upmost care However, sometimes hard drive cannot be removed or data must be captured live! Best practice is to work with a copy of the original data Exceptions to this rule may occur when it is more important to contain an attack or stop a crime It may also be impossible to copy an entire system 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

5 Boot Disks Unix Evidence Acquisition Boot Disk Create a verifiably non-invasive commandline boot disk with the tools needed for acquisition, verification and analysis Use the following alternatives Linux boot floppy Linux live CD-ROM FIRE bootable CD-ROM Software write-blockers (PDBlock) Hardware write-blockers (FastBloc) UNIX can access drives as read-only Bootable CD or thumb drive can contain the UNIX operating system allows data to be analyzed without changing it however one disk will not work for all cases - the hardware platforms are different A Linux boot CD can be used to boot and access a Windows computer e.g. F.I.R.E. 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Boot Disk Example Boot Disk Example Sun SPARC Enterprise 3500 system contained 9 GB Seagate Fiber Channel drive This is incredibly unusual and the forensic lab did not have the hardware to connect the drive Their solution used a bootable CD and used the suspects computer hardware to access the drive drive was bitstream copied (using the UNIX dd command) to an external SCSI drive 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Windows Evidence Acquisition Boot Disk Power Down or Unplug? The rules of evidence dictate that evidence, once seized, cannot be changed But, Windows is extremely invasive updating hundreds of files on each boot-up booting the computer can destroy evidence there is no facility in Windows for mounting a drive as Read-Only How, then, can the Forensic Examiner access the drive for examination purposes? If a PC is running, how do you power it down? Using the operating system to power down is risky temporary files might be deleted date/time stamps changed patches applied to OS 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

6 Power Down or Unplug? Current best practice is to unplug the PC from its power source, preserving the data environment Forensic Tools Does it have a Sonic Screwdriver? 7/17/2018 Sacramento State - Cook - CSc Summer Forensic Tools Choice of Tools There are a large number of forensic tools available to investigators Most are expensive and not surprising so given the have to validated for court use There is also open-source software that can be helpful (but not in court) Many factors affect the choice of tools Examples: operating system software applications hardware platforms state of the data domestic and international laws concerns about bad publicity or liability 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer How Tools Can Help EnCase Recreate a specific chain of events or sequence of user activities Search for key words and dates and determine which of the data is relevant Search for copies of document drafts Search for potentially privileged information Search for the existence of programs Authenticate files and date/time stamps EnCase Cybercrime Arsenal is a customizable package of software, hardware, and training Available in three packaged solutions Offers four views of collected data: Table - displays files in a spreadsheet-style format Gallery - view of all images Timeline - calendar-style view of file activity Report - helps create tailored reports 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

7 Forensic Toolkit (FTK ) OS Forensics Forensic Toolkit (FTK ) used for finding and examining computer evidence Ultimate Toolkit contains FTK plus other modules for recovering passwords, analyzing registry data, and wiping hard drives OS Forensics is a free evidence toolkit Created by PassMark (which has a stellar reputation) While not as advanced as FTK or Encase it is quite a robust application and it is very, very easy to use It can read FTK and Encase evidence files! 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer WinHex Toolkits Only For UNIX/Linux Used for forensic, data recovery and processing, and IT security Some of the tools: editor for FAT12/16/32, NTFS, Ext, etc can interpret RAID systems data interpreter for 20 data types disk cloning driving wiping Autopsy and Sleuth Kit for investigating file systems and volumes of suspect computers dtsearch for combing through large amounts of data for up to 250 different file types 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Toolkits Only For Macintosh PDA Seizure BlackBag a set of 19 tools for examining Macintosh computers, including Directory Scan FileSpy HeaderBuilder MacQuisition forensic acquisition tool used to safely image Macintosh systems A comprehensive forensic tool from Paraben for investigating Palm, Pocket PCs, iphone, Droid, and BlackBerry devices Can produce forensic images and perform data searches as well as crack passwords for Palm 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

8 In Practice: Do Nothing Without Competence Forensics Equipment: Hardware Prosecutions may be jeopardized if untrained personnel compromise data by not following correct procedures Companies should have a proper incident response plan and policies in place Computer forensics labs should have a wide variety of hardware In some cases, seized hardware may be rare or outdated Legacy systems are useful PCs that can read 5¼" floppies dead platforms such as Commodore 64, Apple II, etc 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Forensics Equipment: Hardware Forensics Equipment: Operating Systems Common hardware: Workstations Assortment of power cables USB 2.0, FireWire cables, and power supplies Electrostatic mats Hard disks, and spare expansion cards (PCI, ISA, etc.) Forensics labs should have multiple computer platforms ready Some applications (or hardware) will only work with a specific operating system or platform 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Forensics Equipment: Operating Systems Forensics Equipment: Software Examples: Windows 10, 8, 7, XP, 2000, NT 4.0, NT 3.5, 98, 3.11, and DOS 6.22 Apple Macintosh OS 10.x, Tiger, and older Linux: including Fedora, Caldera Open Linux, Slackware, Ubuntu and Debian Lab needs to have multiple applications available These can be current ones, but legacy ones might be needed for old/rare file types 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

9 Forensics Equipment: Software Forensics Equipment Examples: Microsoft Office (latest), XP, 2000, 97, 95 Quicken and Peachtree accounting software Visual Basic and Visual C++ Quick View, ACDSee, ThumbsPlus, IrfanView OpenOffice (Star Office) Corel Office (Legacy) DOSBox (emulate DOS systems) Type Tool Free? Web Site Password cracker Passware kit Yes Password cracker Portable hard disk duplicator Portable hard drive and media duplicator Forensic intrusion detection, and scanning tools John the Ripper Disk Jockey Logicube Yes Foundstone Yes resources/forensics.htm 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Importance of Hard Drive Expertise Searching Hard drives Looking for Many Needles in a Very Big Haystack Tools are available to work with hard disks but it is important for investigators to know what is happening behind the scenes Tools have their limitations may only partially recover a deleted file but an experienced investigator may be able to locate the remainder investigators must recognize and address it 7/17/2018 Sacramento State - Cook - CSc Summer Residual Data Best Approach Residual data is data that has been deleted but not erased Residual data may be found in unallocated storage or file slack space Slack consists of: RAM slack area from the end of a file to the end of the sector File slack additional sectors needed to fill a cluster, but are not used by the file Conducted with verified tools: identify, collect, filter, tag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use of verified tool Documented thoroughly 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

10 Notes on Windows Drive Acquisition In Practice: Write Blocking and Protection Write blockers are especially needed because Windows are always automatically mounted Read/Write In contrast UNIX/Linux drives can be mounted as read-only Remote acquisition is possible through cross over cable or over a network Never turn on a PC without having writeblocking software or devices in place Write-blocking devices prevent any writes to a drive such as may occur when simply turning on a system 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Effective Data Searches Effective Data Searches Carefully prepare and plan the search ahead of time Interview the IT staff to learn how and where data has been stored Confirm or define the objective of the investigation Identify relevant time periods and scope of the data to be searched Identify the relevant types of data Identify search terms for data filtering to help locate relevant data and filter out what is irrelevant Metadata can be invaluable to the filtering process Get usernames and passwords for network and accounts Check for other computers/devices that could contain evidence 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Identify Data Types Keyword Search Active data Deleted files Hidden, encrypted, and password-protected files Automatically stored data and instant messages Background information WinHex, EnCase, FTK, and Linux have the capability to search for keywords When notable data is found, it becomes evidence and must be acquired copied completely If a large numbers of volumes need to be searched a keyword search can focus attention on the right one 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer

11 Searching Tips: Keywords Searching Tips: Keywords When you enter a keyword into a search program, you are actually entering a search term System will find that exact term If you use multiple words, you can restrict the number of results, but also exclude essential evidence If an essential keyword is commonly misspelled, you might search both the correct and common misspellings These tools also can pattern match for items using "regular expressions" 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Searching Tips: File Types Searching Tips: File Types Most file systems do not store the dot in filenames. Searching for *.jpg will not find the file (but the mentioning of the file in e- mail, etc.) Just search for the extension Fortunately, most forensics applications will automatically find images but not always 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Scenario Project #1 The Mysterious Thumb Drive Wendy Martin, an executive assistant, states she saw Vice President Stewart viewing child porn on this computer She immediately contacted Human Resources 7/17/2018 Sacramento State - Cook - CSc Summer

12 Scenario Stewart denied the charge and produced a USB thumb drive he said he found on the floor You were asked to analyze the thumb drive 7/17/2018 Sacramento State - Cook - CSc Summer