Digital Forensics. Module 10 CS 996

Transcription

1 Digital Forensics Module 10 CS 996

2 Outline of Module #10 Review MidTerm exam Legal update Suni Munshani Howard Carmack EnCase workshop 4/19/2004 Module 10 2

3 QUESTION #5 Return-Path: Received: from ns4.inch.com (ns4.inch.com [ ]) by util.inch.com ( / /UTIL-INCH ) with ESMTP id i07eifot for Wed, 7 Jan :44: (EST) (envelope-from djshmq@greenwood.com) Received: from ([ ]) FAKED SOURCE IP ADDRESS by ns4.inch.com (8.12.8p2/8.12.8/MXER-INCH-3.0.8) with SMTP id i07eiwq for <fred@monarch-info.com>; Wed, 7 Jan :44: (EST) (envelope-from djshmq@greenwood.com) Received: from [ ] by id U8MT8xwBv0ra; Wed, 07 Jan A.B.C.0 IS NOT AN ALLOWED HOST ADDRESS :39: Message-ID: <47q73116dgh6$p8ch4$1$6m7o7-d@vwk5rh7ji> From: "Lily Frazier" <djshmq@greenwood.com> Reply-To: "Lily Frazier" djshmq@greenwood.com MISMATCHED USER NAME To: fred@monarch-info.com WRONG ADDRESS 4/19/2004 Module 10 3

4 QUESTION #6 Return-Path: Received: from ns4.inch.com (ns4.inch.com [ ]) By util.inch.com with ESMTP id i2ff9mjz For Mon, 15 Mar :09: (EST) (envelope-from Received: from lineaaf97.velocom.com.ar (lineaaf97.velocom.com.ar [ ]) By ns4.inch.com with SMTP id i2ff8wp For Mon, 15 Mar :09: (EST) TIME IS EARLIER THAN PREVIOUS HOP! (envelope-from Received: from jojomail.com (jojomail-com.mr.outblaze.com [ ]) By lineaaf97.velocom.com.ar (postfix) with ESMTP id EACAA360CA For Mon, 15 Mar :10: From: Seacoast O. Hydras NAME DOESN T MATCH ADDRESS To: Fred fred@monarch-info.com WRONG ADDRESS Subject: Fred just look in my eyes dzddr PHONY SUBJECT LINE Date: Mon, 15 Mar :10: Message-ID: <110101c40a9f$cf7c694d$7eeacbe4@jojomail.com> 4/19/2004 Module 10 4

5 Pornographic Attachments If not viewed, they stay in.pst folder If viewed, they are rendered and found by: Searching for images on hard drive Looking in temporary internet folder Looking in MRU key in registry 4/19/2004 Module 10 5

6 Outlook Timestamps Received: the last SMTP server Created: entered in to the.pst file Modified: changed version entered in.pst file 4/19/2004 Module 10 6

7 4/19/2004 Module 10 7

8 Legal Update Suni Munshani Howard Carmack, aka The Buffalo Spammer 4/19/2004 Module 10 8

9 Suni Munshani is Back! His case in Massachusetts court was dismissed due to fraud He is being prosecuted for fraud by US Attorney He appealed the dismissal Only isolated incident of perjury Not unconscionable scheme He lost the appeal (March 26, 2004) 4/19/2004 Module 10 9

10 Howard Carmack Convicted April 1, 2004 in Erie County Court, New York Sent 800 million spam messages using Earthlink Charges did not include Can-Spam law 4/19/2004 Module 10 10

11 Carmack Conviction Forgery: falsely made written instrument with intent to defraud Possession of forgery device, ie software Identity theft: falsely obtained services from Earthlink Falsifying business records: Earthlink s business records 4/19/2004 Module 10 11

12 EnCase Resources Academic CD Instructor Notes User Manual excerpts on analysis Training Manual Online videos 4/19/2004 Module 10 12

13 Analysis With EnCase Initialize case Bookmarks: reporting 4/19/2004 Module 10 13

14 Initialize Case: EnCase Scripts Allow custom forensic analysis Program in C++ like API Pre-made scripts Initialize Case Download from Install in: c:\program files\encase\scripts\examples Running scripts: View Scripts Select Script Run View report => Bookmarks 4/19/2004 Module 10 14

15 Using Bookmarks Save important data for report View Bookmarks: Create New Folder Text Images 4/19/2004 Module 10 15

16 4/19/2004 Module 10 16

17 4/19/2004 Module 10 17

18 Navigating Case View Table Signature analysis (in Search function) Hash analysis Gallery Timeline Report Disk 4/19/2004 Module 10 18

19 4/19/2004 Module 10 19

20 4/19/2004 Module 10 20

21 4/19/2004 Module 10 21

22 4/19/2004 Module 10 22

23 Finding Evidence Sorting columns in table view Filters, queries and scripts Recovering folders Keyword search 4/19/2004 Module 10 23

24 4/19/2004 Module 10 24

25 Filters, Queries and Scripts Filters Use built-in capabilities Create queries when filter is run Queries Combine more than one filter in semi-custom query Scripts Create your own search function using C++ like language 4/19/2004 Module 10 25

26 4/19/2004 Module 10 26

27 4/19/2004 Module 10 27

28 String Search Adding keywords Choose files/folders to be searched Configure search 4/19/2004 Module 10 28

29 EnCase Search Method First does logical search Next does sector by sector Compound files like.pst and.dat need to be mounted separately CLUSTER N CHILD PORNOGRAPHY CLUSTER N+1 4/19/2004 Module 10 29

30 4/19/2004 Module 10 30

31 4/19/2004 Module 10 31

32 4/19/2004 Module 10 32

33 4/19/2004 Module 10 33

34 4/19/2004 Module 10 34

35 File Signatures Stated extension on evidence file Header information in the file itself Matches? 4/19/2004 Module 10 35

36 4/19/2004 Module 10 36

37 Compound File Analysis Registry 4/19/2004 Module 10 37

38 Access Registry 4/19/2004 Module 10 38

39 Win98: user.dat 4/19/2004 Module 10 39

40 View Folder Compound file Locate.dbx or.pst files View file structure 4/19/2004 Module 10 40

41 4/19/2004 Module 10 41

42 4/19/2004 Module 10 42

43 File Viewers Look at file outside Encase Add: View => File Viewers Create association: View => File Types Double click on file: copies and opens with viewer QuickView Plus different file formats Eliminates problems with trojans, viruses, etc. 4/19/2004 Module 10 43

44 Add File Viewer 4/19/2004 Module 10 44

45 Create Association (View Filetypes) 4/19/2004 Module 10 45

46 Slack Space in EnCase 4/19/2004 Module 10 46

47 References for Module #10 Bill Nelson, Guide to Computer Investigations, Warren Kruse, Computer Forensics, Kevin Mandia, Incident Response, EnCase Legal Journal (course web site) Suni Munshani: 4/19/2004 Module 10 47