Introduction to Computer Forensics

Transcription

1 Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India.

2 Topics to be Covered What is Computer Forensics Why it is important to the Organization Role of First Responder Difference b/w Copying and Imaging Types of Evidences List free Forensic Tools Importance of Write blockers Demo (if time available)

3 Definition Forensics derived d from the latin word Forensis which means that "of or before the forum as in olden days. It entered the English vocabulary in the 17th century as the term forensics.(the word forensics means to bi bring to the court. ) Source :

4 Computer Forensics Process Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts.

5 Stakeholders in CF Victim or Ci Criminali First Responder (From Law Enforcement ) Computer Forensics Expert and Judiciary

6 Why it is important Legal action against the criminal based on severity of the incident To File a case, we need have to preserve the evidence It should be admissible in the court of law

7 Role of First Responders Identifying the crime scene Protecting the crime scene Preserve the Digital Evidence (Volatile & Non Volatile evidence) Maintain chain of custody form Proper packing & Transport to Lab. Document Everything (Crime scene details, Hard disk details, etc.,)

8 Role of Forensic Analyst Create required Forensic Images of the original suspected media. Preserve the Original suspected media Maintain chain of custody form Examination with Forensic Images Use Standards & Procedures Use Standard Forensic Tools Report Findings

9 What you can expect from the CF Experts? Evidences from Deleted Files Unallocated Clusters and slack space Formatted Hard Drives Data Carving and Password recovery

10 Differences Biological i l Forensics Examinations with Oi Original i evidences (Samples) Computer Forensics Examinations with Images (Duplications) of Original evidences

11 Stages in Computer Forensics Identification Preservation Analysis and Report Preparations

12 Classifications Disk Forensics Network Forensics Handheld Devices Forensics Forensics Registry Forensics OS(Windows, Linux) Forensics Source Code Forensics Browser Forensics

13 Basic rules Never work on original evidence. Never mishandle evidence. Use proper software utilities to retrieve evidence from the media. Document everything while handling the suspected media

14 Types of Evidence Volatile Evidence Running Processes Active N/W Connections Passwords, Disk Encryption Keys are available accounts login passwords Memory resident malwares Non Volatile Evidence Word Documents messages Databases Internet History Registry information Deleted files, Unallocated Clusters, Slack space evidences could be recovered

15 Free Forensic Tools Volatile evidence collection tools Nigilant32, Helix DD (Forensic Acquisition Utilities), FTK Imager, WFT (Windows Forensics Toolchest) MemoryzeDD Volatile evidence Analysis tools MemParser WMFT Volatility Framework, PyFlag

16 Free Forensic Tools contd Forensic Imaging Tools True Back from CDAC, TVM DD (Forensic Acquisition Utilities), FTK Imager, Helix, DEFT (more than 15 Forensic Live CD) Analysis tools SIFT from SANS containing 32 tools TSK, Autopsy browser, PTK PyFlag» Best site: info

17 DD Disk Dump Available in Linux OS Rewritten for windows FAU Download from this link Syntax: dd.exe -v if=\\.\f: of=h:\filename.img conv=noerror --chunk 2GiB localwrt l

18 Hardware or Software Acquisition Hardware: ImageMaster Solo Logicube Forensic MD5 Talon Hardcopy3 from Voom Tech Software: Cyber Check Suite EnCase Forensic Toolkit (FTK) SafeBack DriveSpy Paraben DD command : Unix/Linux

19 Imaging vs- Copying Which h one is Best?

20 Copying of Disk Suspected disk (Source) Sterile disk (Target) Newfile.doc Test.doc Test.doc Cert-in_trainee.ppt Search &seizure.pdf MD5: f55573e2a21c4161d1eb45c Active files Deleted files CERT-In, New Delhi 20

21 Imaging of the Disk Suspected disk (Source) Sterile disk (Target) Newfile.doc Test.doc Cert-in_trainee.ppt Search &seizure.pdf Search &seizure.pdf MD5: f55573e2a21c4161d1eb45c Active files Deleted files 21

22 Is Imaging Always Possible? NO It may sometimes be necessary to access the original machine to recover evidence Computer Forensic examiner must be able to explain and demonstrate the methodologies and processes used to acquire evidence Findings must be repeatable by an independent Findings must be repeatable by an independent 3 rd party

23 Dead versus Live Acquisition Dead Acquisition - occurs when the data from the suspects computer is being copied without the assistance of the suspect s s OS. Live Acquisition occurs when the suspect s s OS is still running and being used to copy data.

24 Forensic Image File Formats RAW only contains the data from the source device. Very easy to compare data with the source (e.g. dd- images). Embedded Image contains data from the source plus additional descriptive data about the acquisition (e.g. hash values, dates, times). EnCase & FTK are examples. Some RAW imaging tools will create descriptive data but this is saved to a separate file. Many acquisition tools that create embedded images are proprietary (e.g. Encase, FTK). Most analysis tools will import a RAW image, making this the most flexible format.

25 Types of Data Acquisition Physical copy (entire physical disk) is the preferred method. Logical copy (disk partition or volume) Data acquisition format (RAW/Compressed) Command-line acquisition (low overheads use less system resources. May run from floppy disk or thumb drive) GUI acquisition Remote acquisition (over a network) Verification Checksum : CRC32 Hashing : MD5, SHA1

26 Very Important Connect your Suspected Storage Media (Hard Disk, USB Drive, etc )Through HARDWARE WRITE-BLOCKER It avoids unnecessary modification i on your media and helps to maintain Integrity of the evidence. Make sure that Source and Destination media are readily connected with forensic work station Now you may launch True Back (Forensic Imaging Software)

27 Write Blockers S/W Write Blocker Software should be enable prior to connect the suspected Media. Ex: UsbWriteProtect H / W Write Blocker Hard ware device The Suspect media should be connected through this device.

28 Drive Imaging Hardware Forensic mobile field system (MFS) Laptop with NIC Portable workstation

29 Hard Disk Information

30 BIOS - Date

31 IP Address

32

33

34

35

36

37

38

39

40

41

42

43 TOOL BOX

44 Entire System

45 CPU -Inside

46 Rearview - CPU

47 Primary Memory

48 Secondary Memory 3.5 HDD 2.5 HDD 1. HDD 1 HDD 0.85 HDD

49 References File System Forensic Analysis by brian carrier Blackhat.com com com/security/forensics/ F7E5-D32D97CF1539EBB4.pdf

50 Thanks & Demonstration