Digital Forensics Lecture 5. DF Analysis Techniques

Transcription

1 Digital Forensics Lecture 5 DF Analysis Techniques

2 Current, Relevant Topics Wells Fargo is notifying an unspecified number of employees that their personal data, including names, Social Security numbers (SSNs), as well as some health insurance and prescription drug information, may have been compromised following the theft of a laptop computer did not comply with established policies for safeguarding sensitive data. The company no longer works for Wells Fargo. Computerworld.com

3 This Week s Presentations Samuel Ashmore: File Encoding and Detection Samuel Ashmore: Encryption and Password Recovery (EC) Earl Eiland: Timeline Analysis Mayuri Shakamuri: Data Mining for Digital Forensics (EC) Sage LaTorra: Steganography Detection (EC) Ryan Ware: File Extension Renaming and Signaturing (EC)

4 Next Week s Presentations Moses Schwartz: Analysis - Client and Web Johnathan Ammons: Web Analysis James Guess: IRC Analysis

5 Our Goal is to Begin to Develop Solid and Lasting Analytical Skills We will explore the factors that drive the need for data analysis We will begin to understand the process of data analysis and the bounds of accuracy We will present a few approaches and tools We will attempt to develop an instinct for one approach over another This will require a greater degree of class participation Where there are blanks, you will be expected to contribute

6 Lecture Overview Legal/Policy Preparation Collection Analysis Findings/ Evidence Reporting/ Action Brainstorming session Investigation centric analysis Data centric analysis General tools and methods

7 Module 1 Brainstorming Session

8 Rules Dialogue not debate Seek understanding Ask questions from a point of true curiosity Spend less time thinking about your own idea and more time actively listening Build on ideas to strengthen them Shareyour ideas Write them down and pass them forward if you chose not to speak up

9 Brainstorming Topic Pick a crime or offense to be investigated Broad or specific, your choice E.g., corporate data theft, illegal wiretapping, kidnapping, terrorism, system intrusion, phishing, identity theft, etc. Attempt to answer these questions: How can DF be used in the investigation? What data are available? How good are the data? How can the data be analyzed to find truth? What tools can make the job easier? What preparation and collection might help?

10 Module 2 Investigation Centric Analysis

11 Motivation An investigation-centric view is extremely useful in defining the analysis goals and methods Our brainstorming session was guided by a piece of the investigation context (crime) Data almost always exists in an investigative context Possession of digital contraband, kidnapping, insider trading, etc. Details of the investigation allow analysts to focus on certain data types, content, and relationships

12 Digital Forensic Goal is to Move From the Specific to the Abstract Increasing Abstraction Data Encoding Method (e.g., ASCII, bin) Organization (e.g., Timeline) Relationship (e.g., Correlation) Context (e.g., Exploit) Information Component Motivation/ Intent Knowledge/ Ability Truth Human Component Relevance (e.g., Coincidence)

13 Types of Investigations (based on role/duty) Criminal (law enforcement) Examples: murder, fraud, digital contraband Corporate (corp. employee) Examples: network intrusion, data theft, etc. Private (self or private investigator) Example: marital infidelity

14 Each Type of Investigation Has Significant and Subtle Differences Sources of data Available data? Unavailable data? Quality of data (related to the investigation)? Questions to be answered Required quality of results Availability and coupling with other investigative efforts Remember: All this is guided by law and policy

15 Module 3 Data Centric Analysis

16 Motivation Once the investigative goals, context, and details are understood, certain types of data lend themselves to specific analysis methods There are limits on the bounds of accuracy in the digital world, as in the physical world Technology presents more data analysis challenges than solutions

17 General Approach Obtain a clear understanding of the investigative goals, context, and details Think through possible sources of data As in the brainstorming session Collect and preserve data Develop a strategy for data analysis Perform analysis

18 Potential Sources of Digital Data Computers (end devices) HDD, FDD, Memory, Flash Devices, input/output devices, support chipsets, etc. Networks (communication systems) Logs, routes, ISP configuration, switch tables, network management, etc. Many others Cell phones, PDAs, pagers, printers, BlackBerry, GPS, smart cards, traffic management systems, automobile computers, point of sale terminals, telephone logs, etc.

19 Limits to the Quality of Data Access. Social. Technical. Identity. Incomplete Measurement. Others? Non-exclusive access to digital systems Existence of botnets and zombie machines Lack of Internet attribution and identity management Easy replication and fabrication of data Unclear language and language differences Missing network packets

20 Storage Media Analysis (1 of 3) media analysis MBC MPT Data from storage media Volume data Files File meta data Slack space and file slacks (win95) Unallocated space Deleted files Space not assigned to a volume

21 Storage Media Analysis (2 of 3) Volumes Accounting for all disk blocks Recover deleted partitions Investigate un-partitioned space Investigate volume meta-data regions File system Analysis of file organization Types of files Files of interest File meta data (time lines) Misnamed files

22 Storage Media Analysis (3 of 3) Deleted files Slack space Unallocated space

23 Cell Phones Call logs Contacts Text messages Pictures Geo-location over time

24 Network Data Active connections Client or server Protocol Address Nature of data Duration of connection Logs Looking for indications of malicious insider activity Attempting to measure impact of crime

25 Live System Data Encase Enterprise Windows registry Open network connections Running processes

26 Places for data to hide on a HDD (non-exhaustive list) Physical Media Areas allocated for diagnostics Residual magnetic impressions (due to jitter in write process) Other devices with storage or state-preservation Low-level format Redundant sectors Sectors marked as bad (unavailable to wiping programs) Sector overhead? Positioning and synchronization platter? Partition Inter-partition gaps Unallocated space hidden partitions Boot records and partition tables High-level format Alternate data streams (NTFS) Hidden files (.<filename> or hidden attribute) Open, but deleted files Deleted files (unstable) Paging/swap file Applications Documents (do you know what you are looking for) Files with deceptive names (hidden in the noise, e.g., /dev) Modified OS utilities (e.g., file system mounted over real file system, ls) Code (as comments) Databases (registry, history, etc.) Encoding (steganography, metadata, encryption, bit-shifting, substitution, etc.) Where else?

27 In Class Exercise Where can data hide on other devices and systems? Some examples include: As continuous network traffic In printer memory In system backups Distributed among many computers (P2P)

28 Module 4 General Tools and Methods

29 Common Analysis Methods Key word search (most mature) MAC time line analysis Encrypted file cracking Relationship analysis Causal analysis Operating system logs and records Registry (windows) User account logs Various system logs Application specific analysis, e.g., Executable and binary analysis

30 The Sleuth Kit Tools (learn through hands-on labs) File system layer (partitions, file systems) fsstat first used in lab 3 to determine block size File name layer (file name structures) ffind fls Meta-data layer (inodes, directory entries, file attributes) icat ifind ils istat mac-robber Data unit layer (disk blocks) dcat first used in lab 3 to extract disk blocks dls first used in lab 2 to copy unallocated space and slack space dstat dcalc first used in lab 3 to compute absolute block to recover

31 How Would You Determine if a system has been compromised? Determine if a suspect has been involved in theft of intellectual property? Determine if an employee has been stealing and selling trade secrets? Determine the impact of a successful network intrusion??

32 Questions? After all, you are an investigator