Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 1
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 2
Blackhat Europe 2003 CaseTutorial -
Digital Information, UserTokens, Privacy and
InternationalForensics Investigations
Larry Leibrock, Ph.D.eForensics LLC
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 3
I am an Information Technologist. I am on the teaching faculty of the Texas Law
School and Business School, however,I am not a Practicing Attorney
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 4
Caveats and Rights of Use
¥ My skills, background - forensicsprofession and at trial experience
¥ This tutorial is not Ð legal advice orlegal opinion
¥ Who do I speak for? Ð me Ð no universityor governmental affiliations Ð in thecontext of this tutorial
¥ No warranty for fitness Ð express orimplied
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 5
Caveats and Rights of Use
¥ No grant of license for software ortechnology that may be developed thatsupports this material
¥ Risk of use Ð are expressly yours Ð not mine¥ Your attendance in this tutorial, from here
on, marks your agreement to theseaforementioned caveats, conditions andlimitations
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 6
Notes for Materials
¥ All materials Ð slides and case materials anddiscussion sets are athttp://www.eforensics.com
¥ I will not use/discuss each slide in this set.There are numerous slides in this set.
¥ The slides support a notional case Ð We willuse the case as a discussion-leadership vehicleto explore the intersection of
Digital Information, User Tokens, Privacyand International Forensics Investigations
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 7
Introduction
What you should learn in this case tutorial1. Gain an overview of Computer Forensics focusing on
the Windows XP platform2. Obtain a general overview as how forensics
investigation are conducted3. Review certain tokens (taggants) inherent in digital
forensics4. Assess the tensions among privacy Ð right to conduct
forensics in digital forensics5. Engage your intellectual interests and challenge your
assumptions related to the uses, investigation and userprivacy in international settings.
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 8
A Protocol Ð for this Tutorial
ΓΓΓΓ Please Ask Questions Ð whenever you need to.¥ I reserve the obligation to ask you questions¥ LetÕs collectively feed our brains.
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 9
My Bias
¥ Digital Forensics is an emerging profession.¥ The notion of a profession
Ð Body of Knowledge - CompetencyÐ Tests
¥ Science, Theory and Peer Review are necessarybut not sufficient to supporting the digitalforensics profession Ð we need a community ofpractice among forensics professionals that isalso tested with questions of privacy andethics.
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 10
Ubiquity of Digital Devices ineveryday life
¥ CharacteristicsÐ IT technology everywhere and embedded in everythingÐ Global connectivity and always onÐ Physical world joining virtual
¥ cyberspace acts can affect real-world processes and vice versaÐ Web pages and portals for everything
¥ documents, people, things, places, events, processes¥ pages give access to files, sensors, actuators, controls
¥ EnablersÐ Business performance: more bang for buck in less spaceÐ Mobility Ð Knowledge workÐ CriminalÐ Non-CriminalÐ Proscribed Activity
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 11
The Case: Baghdad Express
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 12
Introduction
¥ The subject matter of this tutorialÐ I ask that you quickly read the brief case
Baghdad Express - that is now being handedout
Ð Prepare your responses to the 5 questions atthe end of the case.
Ð Prepare to present and defend yourresponses in a depositional setting
Ð You have 5 minutes.
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 13
Your Notes
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 14
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 15
The Baghdad Case¥ What is the case about? Your 5+/-2 Ideas?1. _________________2. _________________3. _________________4. _________________5. _________________6. _________________7. _________________
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 16
The Baghdad Case
My 5+/-2 Ideas1. _________________2. _________________3. _________________4. _________________5. _________________6. _________________7. _________________
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 17
Baghdad CaseDigital Items of Interest
1.__________2.__________3.__________4.__________5.__________6.__________7.__________
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 18
Evidence
¥ Notable items versus evidence¥ Broad tests for all forensics notable
items and evidence1. Authenticity2. Reliability3. Completeness4. Free from interference and contamination
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 19
What is Computer Forensics?
¥ Who does this?¥ Why is it done?¥ What can be determined?¥ When is forensics done?¥ Where is this done?¥ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 20
Computer Forensics
ΦΦΦΦWho does this?
¥ Why is it done?¥ What can be determined?¥ When is forensics done?¥ Where is this done?¥ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 21
Computer Forensics
¥ Who does this?
ΦΦΦΦ Why is it done?
¥ What can be determined?¥ When is forensics done?¥ Where is this done?¥ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 22
Computer Forensics
¥ Who does this?¥ Why is it done?
ΦΦΦΦ What can be determined?
¥ When is forensics done?¥ Where is this done?¥ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 23
Computer Forensics
¥ Who does this?¥ Why is it done?¥ What can be determined?
ΦΦΦΦ When is forensics done?
¥ Where is this done?¥ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 24
Computer Forensics
¥ Who does this?¥ Why is it done?¥ What can be determined?¥ When is forensics done?
ΦΦΦΦ Where is this done?
¥ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 25
Computer Forensics
¥ Who does this?¥ Why is it done?¥ What can be determined?¥ When is forensics done?¥ Where is this done?
ΦΦΦΦ How is forensics done
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 26
Forensics Defined
¥ PeopleÐ Demonstrated Expertise in using, explaining the forensics
procedures and findingsÐ Dis-Interested Relationship Ð both Firm/Investigator and
Subject/InvestigatorÐ Examiner Qualifications Ð knowledge - training Ð skills Ð
experience
¥ ProcessesÐ AcceptedÐ AuditableÐ Chain of CustodyÐ Peer-reviewÐ RepeatabilityÐ (understandable and can be explained to non-technical people)
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 27
Forensics Defined
¥ Tools (Instruments)Ð Avoid Data contamination (non-intrusion)Ð Findings of facts - Cross-validationÐ Prior UseÐ Validity
¥ MeasuresÐ Fact-based - testable ( True or False Assertion)Ð The inter-depending tests for integrity, validity
and reliabilityÐ In a final sense Ð Truthful Ð from which a court can
render judgments
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 28
±±±± Forensics Measures
Measures (Tests)1. Authentic2. Accurate3. Complete4. In conformance with law, custom
and legislative fiat in properjurisdictions
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 29
Forensics Operationalized
¥ Forensics, the computer, the device, the data(electrons)
¥ Some Definitions1. Investigating what has happened2. Audit relative to use Ð event - policy3. Sanctions: Ð Criminal Ð civil Ð administrative
Forensics Defined: collection of people -processes Ð tools Ð measures that support orrefute certain allegations or suspicions ofmisuse which involve a computer system
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 30
Forensics Defined and ForensicsOperationalized
¥ Forensics, the computer,the device, the data(electrons)
¥ Some detailsÐ EvidenceÐ ExpertiseÐ Procedure (science)
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 31
The Generalized Framework
1. Protect seized evidence2. Recover deleted files3. Discover (enumerate) files contained in seized
materials (notable text, binary, hidden & encrypted)4. Discover swap, temp/tmp, file slack meta-data and
artifacts5. Explore all unallocated space6. Conduct searches for key terms, special data Ð imagery7. Note any observed versus expected files, folders
binaries, www data, emails and file conditions8. Prepare a written report Ð archive data, findings9. Provide expert consultation and testimony, as
necessary
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 32
Problems with Computer Forensics¥ Collection or examination can alter
character (state)¥ Computer Ð Digital investigations
and evidence are new to lawenforcement, courts and legislativeentities
¥ Explosive growth of digital mediadensity and pervasive computerplatforms
∆∆∆∆Some Problems
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 33
Problems with Computer Forensics¥ Indirect view of digitally
represented data and meta-data¥ Information technology and
mission-critical nature of IT is incontinual flux
¥ Range of skills, education andqualified forensics examiners
¥ Transitive character of digital data
∆∆∆∆Some Problems
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 34
Human Judgment Factors (measures)for the Forensics Practitioner
1. Are all procedures processes andinstruments (tools) involved in theforensics examination Ðunderstandable, sound, subject topublic demonstration and auditable?
2. Can the prosecutor Ð (lawenforcement) prove the subject(person) was the sole user on thesubject platform?
3. Could the evidentiary data havebeen altered or in any way modifiedfor seizure to deposition?
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 35
Human Judgment Factors (measures)for the Forensics Practitioner
4. Is any evidentiary data beencompromised underattorney/client privilege?
5. Is there a possibility thatanother user, network accessor malicious code placed oraltered any data on thesubject platform?
6. Was the search Ð lawful, giventhe nature of the allegation oroffense?
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 36
Questions
¥ Review certain tokens (taggants)inherent in digital forensics
¥ What is a token?¥ What is a taggant?¥ Can we derive some terms?
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 37
Examples
¥TokensÐ ______
¥Taggants
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 38
Examples
¥Tokens¥Taggants
Ð ______
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 39
Some prevailing frameworks forforensics investigations
¥ US Laws¥ Federal Guidelines
Ð DOJ Ð FBIÐ DODÐ NIST
¥ International Organization on Computer Evidence IOCE Guidelineshttp://www.ioce.org
¥ Some national and EU Privacy Issues¥ The prevailing model
Ð Seizure, forensics (bit copy), examination, report, deposition,testimony, archiving
Ð Data extracted from both logical and physical media (active andrecovered) files, data artifacts, swap space and file Ð device slack
Ð Focus is on finding data contained in files
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 40
Forensics Ð An Emerging Competency
model¥ Understanding and use of a particular approach¥ Contemporized record keeping¥ Understanding of evidence handling protocols¥ Understanding of legal (civil-criminal)
procedures¥ Can examiner explain at court Ð the particular
forensics process and particular findings
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 41
Forensics Ð An Emerging Competency
model¥ Understanding of the suspect platform
architecture¥ Access, skill and experience in forensics
tools and instruments¥ Forensics examiner has maintained
special knowledge Ð experience andtraining
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 42
Practitioner A Set of Questions
¥ Chain of Custody - Data Custodial concerns?¥ Forensic procedures
Ð Documented and explainableÐ Can this be demonstrate to observersÐ AuditableÐ CompletenessÐ Non-Intrusive InvestigationÐ Media Ð Archiving without state-change
¥ Malicious software¥ Sole User and Access Ð The Nexus Problem¥ (Suspect) Can you link the particular user that had
knowledge about questioned data and use of theplatform
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 43
Tablet PC is a fully functional computer running the Windows XP TabletPC Edition operating system. Windows XP Tablet PC Edition, which isbuilt on top of Windows XP Professional,
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 44
Items of Forensics Interests1.____2.____3.____4.____5.____6.____7.____
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 45
An exemplar - Windows XP as aforensics platform
¥ Some detailsÐ OrganizationÐ Present Variant & BuildsÐ InstallationsÐ Supported ComputersÐ Physical MediaÐ PartitionsÐ File TypesÐ File Hashing of known good and known suspect
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 46
Windows XP ÐThe Files, Folders and Disks
¥ Disks A-Z Ð default consecutively¥ Pathnames C:\windows\system\color¥ UNC \box21\C\games\warez.txt¥ DOS 8.3 and LFN¥ LFN up to 260 characters¥ Case preserving¥ Maximum Path is 80 characters¥ File and folder attributes Ð read Ð system,
hidden, compressed and encrypted
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 47
Windows XP and Times
¥ Boot Sequence¥ The BIOS¥ Windows XP Time Services¥ Time and File metadata¥ Temporal Challenges among platforms,
applications, files and logs¥ Time servers¥ NTP and clocks¥ Investigation times¥ Time zone conventions
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 48
File Hashing
¥ Window XP Hash Sets?¥ What do we need these?¥ Where are these located?
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 49
The Windows XP ÐSpecial Items
of Forensics Interest¥ Anti-Forensics Tools¥ Applications Meta-data¥ Concealed media (logical or physical)¥ Data Encryption applications or data¥ Digital Cameras¥ Global Positioning Devices Ð maps¥ Offline media¥ Printers¥ Scanners¥ Steganography applications¥ Windows XP Hardware Hash
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 50
Typical Window XP Files Ð HidingPlaces
¥ Browser Ð history and favorites¥ Cluster slack¥ Compressed or encrypted folders¥ Disconnected Hard-Drive in Chassis¥ Email residue¥ ERD and Backups¥ Files marked for deletion¥ Hidden files
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 51
Typical Window XP Files Ð HidingPlaces
¥ Online messenger services¥ Normally named files¥ Other OS Partition or Virtual
Machine¥ Print Spool (online and
offline)¥ RAM Resident Files¥ Renamed and Mismatched
files¥ Sleep or Hibernate Mode Files¥ Swap or page files¥ Temp and tmp (Word and
Excel)¥ Zip Drives, CD Devices,
Floppies and portable drives
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 52
The Registry
¥ Browser settings are stored¥ Most de-installations leave forensics ÒresidueÓ¥ Most Recently used¥ My Documents¥ Recycle or Trash Bin¥ Some Application passwords are stored¥ Some Applications register name, company, license
and sometimes address and install time/date¥ Usenet Messages for newsgroups
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 53
The Windows XP Intel Platform
¥ The Disk Drive(s) and engineer-service-order (ESO) sectors or tracks
¥ The MAC address¥ The Platform Hash¥ The Processor ID¥ The Registry and its form in XP
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 54
The Windows XP ÐThe Applications Interface
¥ Focus¥ Folders¥ My Computer¥ Network Neighborhood¥ Quick Launch¥ Recycle Bin¥ Short cut Ð (links)¥ Start Button¥ Task Bar
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 55
A Forensics Model
¥ Explore and better describe the linkagesamong
1. User to a Platform (device Ð operating environmentÐ connectivity)
2. Platform to Applications3. Applications to Notable Data4. Note special data and device artifacts beyond our
typical notions of disk media5. Characterize time and timing meta-data
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 56
The Forensics Processes andWorking tools
1.Seizure Process2.bit copy Process (Use special
tool Ð Preliminary Data set)3.Examination Process4.Reporting Process5.Archiving Process6.Deposition & testimony Process
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 57
Anti-Forensics Tools
¥ Backdoor ÒSantasÓ Ð Remote Desktop access¥ Cleaning the Registry Ð Regedit32¥ Disk Scrubbers Ð Secure Delete¥ Encryption Ð typically PGP¥ Evidence Eliminator Application¥ Hidden or Encrypted Partitions¥ Special RAM based Personal Computers¥ Special Steganography tools¥ Windows Washer Application
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 58
Some Special Points relative theBagdad Express Case
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 59
Forensics Windows XPA Review for this Tutorial
1. ______2. ______3. ______4. ______5. ______6. ______7. ______
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 60
Case Summation
¥ Your Ideas?
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 61
Notes
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 62
Your Questions
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 63
Parting Points
¥ Learn the forensics key processes¥ Spend time in high-quality forensics tool
training after learning shareware tools¥ Never Òhang on a single nailÓ when you
are doing computer forensics¥ Invest in a range of tools, crossÐvalidate
your observations¥ Build on Dan Farmers idea Ð do forensics
on your on your own system
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 64
Parting Points
¥ Know what you know Ð avoid doing whatyou do not know Ð example BEOSassignment
¥ Practice the Forensics Tradecraft Ðconsider using this learning model:
Crawl Walk
Run
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 65
My Appreciation
¥ Thank you for your time and interest¥ Thank you for your support of the forensics
community of practice¥ My Coordinates
Ð [email protected]Ð [email protected]Ð http://www.eforensics.comÐ Austin, Texas (512) 471-1650Ð GMT Time -5
Blackhat Europe 2003Case Tutorial
Larry Leibrock Copyright 2003 66