Blackhat Europe 2003 1 Case Tutorial · Title: bh-europe-2003-leibrock.ppt Author: Ping Look Created Date: 5/1/2003 11:21:06 PM

Blackhat Europe 2003Case Tutorial

Larry Leibrock Copyright 2003 1



Blackhat Europe 2003 CaseTutorial -

Digital Information, UserTokens, Privacy and

InternationalForensics Investigations

Larry Leibrock, Ph.D.eForensics LLC



I am an Information Technologist. I am on the teaching faculty of the Texas Law

School and Business School, however,I am not a Practicing Attorney



Caveats and Rights of Use

¥ My skills, background - forensicsprofession and at trial experience

¥ This tutorial is not Ð legal advice orlegal opinion

¥ Who do I speak for? Ð me Ð no universityor governmental affiliations Ð in thecontext of this tutorial

¥ No warranty for fitness Ð express orimplied



Caveats and Rights of Use

¥ No grant of license for software ortechnology that may be developed thatsupports this material

¥ Risk of use Ð are expressly yours Ð not mine¥ Your attendance in this tutorial, from here

on, marks your agreement to theseaforementioned caveats, conditions andlimitations



Notes for Materials

¥ All materials Ð slides and case materials anddiscussion sets are athttp://www.eforensics.com

¥ I will not use/discuss each slide in this set.There are numerous slides in this set.

¥ The slides support a notional case Ð We willuse the case as a discussion-leadership vehicleto explore the intersection of

Digital Information, User Tokens, Privacyand International Forensics Investigations



Introduction

What you should learn in this case tutorial1. Gain an overview of Computer Forensics focusing on

the Windows XP platform2. Obtain a general overview as how forensics

investigation are conducted3. Review certain tokens (taggants) inherent in digital

forensics4. Assess the tensions among privacy Ð right to conduct

forensics in digital forensics5. Engage your intellectual interests and challenge your

assumptions related to the uses, investigation and userprivacy in international settings.



A Protocol Ð for this Tutorial

ΓΓΓΓ Please Ask Questions Ð whenever you need to.¥ I reserve the obligation to ask you questions¥ LetÕs collectively feed our brains.



My Bias

¥ Digital Forensics is an emerging profession.¥ The notion of a profession

Ð Body of Knowledge - CompetencyÐ Tests

¥ Science, Theory and Peer Review are necessarybut not sufficient to supporting the digitalforensics profession Ð we need a community ofpractice among forensics professionals that isalso tested with questions of privacy andethics.



Ubiquity of Digital Devices ineveryday life

¥ CharacteristicsÐ IT technology everywhere and embedded in everythingÐ Global connectivity and always onÐ Physical world joining virtual

¥ cyberspace acts can affect real-world processes and vice versaÐ Web pages and portals for everything

¥ documents, people, things, places, events, processes¥ pages give access to files, sensors, actuators, controls

¥ EnablersÐ Business performance: more bang for buck in less spaceÐ Mobility Ð Knowledge workÐ CriminalÐ Non-CriminalÐ Proscribed Activity



The Case: Baghdad Express



Introduction

¥ The subject matter of this tutorialÐ I ask that you quickly read the brief case

Baghdad Express - that is now being handedout

Ð Prepare your responses to the 5 questions atthe end of the case.

Ð Prepare to present and defend yourresponses in a depositional setting

Ð You have 5 minutes.



Your Notes

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________





The Baghdad Case¥ What is the case about? Your 5+/-2 Ideas?1. _________________2. _________________3. _________________4. _________________5. _________________6. _________________7. _________________



The Baghdad Case

My 5+/-2 Ideas1. _________________2. _________________3. _________________4. _________________5. _________________6. _________________7. _________________



Baghdad CaseDigital Items of Interest

1.__________2.__________3.__________4.__________5.__________6.__________7.__________



Evidence

¥ Notable items versus evidence¥ Broad tests for all forensics notable

items and evidence1. Authenticity2. Reliability3. Completeness4. Free from interference and contamination



What is Computer Forensics?

¥ Who does this?¥ Why is it done?¥ What can be determined?¥ When is forensics done?¥ Where is this done?¥ How is forensics done



Computer Forensics

ΦΦΦΦWho does this?

¥ Why is it done?¥ What can be determined?¥ When is forensics done?¥ Where is this done?¥ How is forensics done



Computer Forensics

¥ Who does this?

ΦΦΦΦ Why is it done?

¥ What can be determined?¥ When is forensics done?¥ Where is this done?¥ How is forensics done



Computer Forensics

¥ Who does this?¥ Why is it done?

ΦΦΦΦ What can be determined?

¥ When is forensics done?¥ Where is this done?¥ How is forensics done



Computer Forensics

¥ Who does this?¥ Why is it done?¥ What can be determined?

ΦΦΦΦ When is forensics done?

¥ Where is this done?¥ How is forensics done



Computer Forensics

¥ Who does this?¥ Why is it done?¥ What can be determined?¥ When is forensics done?

ΦΦΦΦ Where is this done?

¥ How is forensics done



Computer Forensics

¥ Who does this?¥ Why is it done?¥ What can be determined?¥ When is forensics done?¥ Where is this done?

ΦΦΦΦ How is forensics done



Forensics Defined

¥ PeopleÐ Demonstrated Expertise in using, explaining the forensics

procedures and findingsÐ Dis-Interested Relationship Ð both Firm/Investigator and

Subject/InvestigatorÐ Examiner Qualifications Ð knowledge - training Ð skills Ð

experience

¥ ProcessesÐ AcceptedÐ AuditableÐ Chain of CustodyÐ Peer-reviewÐ RepeatabilityÐ (understandable and can be explained to non-technical people)



Forensics Defined

¥ Tools (Instruments)Ð Avoid Data contamination (non-intrusion)Ð Findings of facts - Cross-validationÐ Prior UseÐ Validity

¥ MeasuresÐ Fact-based - testable ( True or False Assertion)Ð The inter-depending tests for integrity, validity

and reliabilityÐ In a final sense Ð Truthful Ð from which a court can

render judgments



±±±± Forensics Measures

Measures (Tests)1. Authentic2. Accurate3. Complete4. In conformance with law, custom

and legislative fiat in properjurisdictions



Forensics Operationalized

¥ Forensics, the computer, the device, the data(electrons)

¥ Some Definitions1. Investigating what has happened2. Audit relative to use Ð event - policy3. Sanctions: Ð Criminal Ð civil Ð administrative

Forensics Defined: collection of people -processes Ð tools Ð measures that support orrefute certain allegations or suspicions ofmisuse which involve a computer system



Forensics Defined and ForensicsOperationalized

¥ Forensics, the computer,the device, the data(electrons)

¥ Some detailsÐ EvidenceÐ ExpertiseÐ Procedure (science)



The Generalized Framework

1. Protect seized evidence2. Recover deleted files3. Discover (enumerate) files contained in seized

materials (notable text, binary, hidden & encrypted)4. Discover swap, temp/tmp, file slack meta-data and

artifacts5. Explore all unallocated space6. Conduct searches for key terms, special data Ð imagery7. Note any observed versus expected files, folders

binaries, www data, emails and file conditions8. Prepare a written report Ð archive data, findings9. Provide expert consultation and testimony, as

necessary



Problems with Computer Forensics¥ Collection or examination can alter

character (state)¥ Computer Ð Digital investigations

and evidence are new to lawenforcement, courts and legislativeentities

¥ Explosive growth of digital mediadensity and pervasive computerplatforms

∆∆∆∆Some Problems



Problems with Computer Forensics¥ Indirect view of digitally

represented data and meta-data¥ Information technology and

mission-critical nature of IT is incontinual flux

¥ Range of skills, education andqualified forensics examiners

¥ Transitive character of digital data

∆∆∆∆Some Problems



Human Judgment Factors (measures)for the Forensics Practitioner

1. Are all procedures processes andinstruments (tools) involved in theforensics examination Ðunderstandable, sound, subject topublic demonstration and auditable?

2. Can the prosecutor Ð (lawenforcement) prove the subject(person) was the sole user on thesubject platform?

3. Could the evidentiary data havebeen altered or in any way modifiedfor seizure to deposition?



Human Judgment Factors (measures)for the Forensics Practitioner

4. Is any evidentiary data beencompromised underattorney/client privilege?

5. Is there a possibility thatanother user, network accessor malicious code placed oraltered any data on thesubject platform?

6. Was the search Ð lawful, giventhe nature of the allegation oroffense?



Questions

¥ Review certain tokens (taggants)inherent in digital forensics

¥ What is a token?¥ What is a taggant?¥ Can we derive some terms?



Examples

¥TokensÐ ______

¥Taggants



Examples

¥Tokens¥Taggants

Ð ______



Some prevailing frameworks forforensics investigations

¥ US Laws¥ Federal Guidelines

Ð DOJ Ð FBIÐ DODÐ NIST

¥ International Organization on Computer Evidence IOCE Guidelineshttp://www.ioce.org

¥ Some national and EU Privacy Issues¥ The prevailing model

Ð Seizure, forensics (bit copy), examination, report, deposition,testimony, archiving

Ð Data extracted from both logical and physical media (active andrecovered) files, data artifacts, swap space and file Ð device slack

Ð Focus is on finding data contained in files



Forensics Ð An Emerging Competency

model¥ Understanding and use of a particular approach¥ Contemporized record keeping¥ Understanding of evidence handling protocols¥ Understanding of legal (civil-criminal)

procedures¥ Can examiner explain at court Ð the particular

forensics process and particular findings



Forensics Ð An Emerging Competency

model¥ Understanding of the suspect platform

architecture¥ Access, skill and experience in forensics

tools and instruments¥ Forensics examiner has maintained

special knowledge Ð experience andtraining



Practitioner A Set of Questions

¥ Chain of Custody - Data Custodial concerns?¥ Forensic procedures

Ð Documented and explainableÐ Can this be demonstrate to observersÐ AuditableÐ CompletenessÐ Non-Intrusive InvestigationÐ Media Ð Archiving without state-change

¥ Malicious software¥ Sole User and Access Ð The Nexus Problem¥ (Suspect) Can you link the particular user that had

knowledge about questioned data and use of theplatform



Tablet PC is a fully functional computer running the Windows XP TabletPC Edition operating system. Windows XP Tablet PC Edition, which isbuilt on top of Windows XP Professional,



Items of Forensics Interests1.____2.____3.____4.____5.____6.____7.____



An exemplar - Windows XP as aforensics platform

¥ Some detailsÐ OrganizationÐ Present Variant & BuildsÐ InstallationsÐ Supported ComputersÐ Physical MediaÐ PartitionsÐ File TypesÐ File Hashing of known good and known suspect



Windows XP ÐThe Files, Folders and Disks

¥ Disks A-Z Ð default consecutively¥ Pathnames C:\windows\system\color¥ UNC \box21\C\games\warez.txt¥ DOS 8.3 and LFN¥ LFN up to 260 characters¥ Case preserving¥ Maximum Path is 80 characters¥ File and folder attributes Ð read Ð system,

hidden, compressed and encrypted



Windows XP and Times

¥ Boot Sequence¥ The BIOS¥ Windows XP Time Services¥ Time and File metadata¥ Temporal Challenges among platforms,

applications, files and logs¥ Time servers¥ NTP and clocks¥ Investigation times¥ Time zone conventions



File Hashing

¥ Window XP Hash Sets?¥ What do we need these?¥ Where are these located?



The Windows XP ÐSpecial Items

of Forensics Interest¥ Anti-Forensics Tools¥ Applications Meta-data¥ Concealed media (logical or physical)¥ Data Encryption applications or data¥ Digital Cameras¥ Global Positioning Devices Ð maps¥ Offline media¥ Printers¥ Scanners¥ Steganography applications¥ Windows XP Hardware Hash



Typical Window XP Files Ð HidingPlaces

¥ Browser Ð history and favorites¥ Cluster slack¥ Compressed or encrypted folders¥ Disconnected Hard-Drive in Chassis¥ Email residue¥ ERD and Backups¥ Files marked for deletion¥ Hidden files



Typical Window XP Files Ð HidingPlaces

¥ Online messenger services¥ Normally named files¥ Other OS Partition or Virtual

Machine¥ Print Spool (online and

offline)¥ RAM Resident Files¥ Renamed and Mismatched

files¥ Sleep or Hibernate Mode Files¥ Swap or page files¥ Temp and tmp (Word and

Excel)¥ Zip Drives, CD Devices,

Floppies and portable drives



The Registry

¥ Browser settings are stored¥ Most de-installations leave forensics ÒresidueÓ¥ Most Recently used¥ My Documents¥ Recycle or Trash Bin¥ Some Application passwords are stored¥ Some Applications register name, company, license

and sometimes address and install time/date¥ Usenet Messages for newsgroups



The Windows XP Intel Platform

¥ The Disk Drive(s) and engineer-service-order (ESO) sectors or tracks

¥ The MAC address¥ The Platform Hash¥ The Processor ID¥ The Registry and its form in XP



The Windows XP ÐThe Applications Interface

¥ Focus¥ Folders¥ My Computer¥ Network Neighborhood¥ Quick Launch¥ Recycle Bin¥ Short cut Ð (links)¥ Start Button¥ Task Bar



A Forensics Model

¥ Explore and better describe the linkagesamong

1. User to a Platform (device Ð operating environmentÐ connectivity)

2. Platform to Applications3. Applications to Notable Data4. Note special data and device artifacts beyond our

typical notions of disk media5. Characterize time and timing meta-data



The Forensics Processes andWorking tools

1.Seizure Process2.bit copy Process (Use special

tool Ð Preliminary Data set)3.Examination Process4.Reporting Process5.Archiving Process6.Deposition & testimony Process



Anti-Forensics Tools

¥ Backdoor ÒSantasÓ Ð Remote Desktop access¥ Cleaning the Registry Ð Regedit32¥ Disk Scrubbers Ð Secure Delete¥ Encryption Ð typically PGP¥ Evidence Eliminator Application¥ Hidden or Encrypted Partitions¥ Special RAM based Personal Computers¥ Special Steganography tools¥ Windows Washer Application



Some Special Points relative theBagdad Express Case



Forensics Windows XPA Review for this Tutorial

1. ______2. ______3. ______4. ______5. ______6. ______7. ______



Case Summation

¥ Your Ideas?



Notes

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________



Your Questions



Parting Points

¥ Learn the forensics key processes¥ Spend time in high-quality forensics tool

training after learning shareware tools¥ Never Òhang on a single nailÓ when you

are doing computer forensics¥ Invest in a range of tools, crossÐvalidate

your observations¥ Build on Dan Farmers idea Ð do forensics

on your on your own system



Parting Points

¥ Know what you know Ð avoid doing whatyou do not know Ð example BEOSassignment

¥ Practice the Forensics Tradecraft Ðconsider using this learning model:

Crawl Walk

Run



My Appreciation

¥ Thank you for your time and interest¥ Thank you for your support of the forensics

community of practice¥ My Coordinates

Ð [email protected]Ð [email protected]Ð http://www.eforensics.comÐ Austin, Texas (512) 471-1650Ð GMT Time -5

