Computer Forensics - Computer Emergency Response Team

CERT-In 1

Computer Forensics

Omveer SinghAdditional Director / Scientist ‘E’

[email protected]

Indian Computer Emergency Response Team (CERT-In)Department of Information Technology

Ministry of Communications & Information TechnologyGovernment of India

New Delhi

CERT-In 2

Agenda• Cyber Forensics • Computer crime investigation Methodology• Storage Media Forensics• Digital Evidence Examination Process

– Acquisition, Analysis, Interpretation, Presentation

• Imaging the digital evidence (storage media)• Computer Forensics Toolkits • Anti-Forensics, Steganography• References

CERT-In 3

What is Computer forensics…?

Most of the time, criminal leave some clues, traces or trail at the crime scene and that is searched for as an evidence.

But sometimes the evidence being analysed is not a bloodstain, a footprint, or a tool mark, but the evidence is in electronic form.

CERT-In 4

But a “trail” of electronic fingerprints ...

The bits and bytes of data hidden inside a computer can be forensically pieced together.

How the investigator pieced these secrets from the electronic media together, is called Computer forensics.

CERT-In 5

What is Computer Forensics?

A process of applying scientific & analytical techniques to computers, networks, digital devices, & files to discover or recover admissible evidence.

CERT-In 6

Computer Forensics

Computer Forensics is not just about Computer, it is essentially about:

• Correct processes of investigation• Rules of evidence• Integrity of evidence• Clear and concise reporting of factual

information• Provision of expert testimony.

CERT-In 7

Computer forensic investigations

• Computer Crime Investigation• Cyber Crime Investigation• Detection and Investigation of

Malicious Applications• Data recovery

CERT-In 8

– Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.

– Evidence might be required for a wide range of computer crimes and misuses

– Multiple methods of – Discovering data on computer system– Recovering deleted, encrypted, or damaged file information– Monitoring live activity– Detecting violations of corporate policy

– Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity

What is Computer Forensics??

CERT-In 9

• What Constitutes Digital Evidence?– Any information being subject to human intervention or

not, that can be extracted from a computer.– Must be in human-readable format or capable of being

interpreted by a person with expertise in the subject.• Computer Forensics Examples

– Recovering thousands of deleted emails– Performing investigation post employment termination– Recovering evidence post formatting hard drive – Performing investigation after multiple users had taken

over the system

What is Computer Forensics??

CERT-In 10

Computer Forensics – why ?• Some of the common practices may destroy

digital evidence. Direct analysis will make it unacceptable in a court of law

tempered evidenceDigital Evidence is -• Latent, like fingerprints or DNA• Extremely fragile & resilient; can be altered,

damaged or destroyed easily• Can transcend borders with ease & speed

(networked systems)

CERT-In 11

Computer Crime Investigation Methodology

• Analysis of evidence is carried out virtually at a physical location (lab).

• Search for some direct information from the evidence that may have significance in the case.

• Computer Forensics traditionally rely upon the data inadvertently left on disk by the SW application programs / tools.

CERT-In 12

Cyber ForensicsCyber Forensics

• Computer Forensics• Mobile Forensics

CERT-In 13

Subcategories of Computer Forensic Analysis

• Source Code Analysis • Network Analysis• Storage Media Analysis

CERT-In 14

Source Code Forensics

• To examination Software Source Code for malicious signatures

• To determine software ownership or software liability issues. – Review of actual source code. – Examination of the entire development

process, e.g., development procedures, documentation review, and review of source code revisions.

CERT-In 15

Who Uses Computer Forensics?• Criminal Prosecutors

– Rely on evidence obtained from a computer to prosecute suspects and use as evidence

• Civil Litigations– Personal and business data discovered on a computer can

be used in fraud, divorce, harassment, or discrimination cases

• Insurance Companies– Evidence discovered on computer can be used to mollify

costs (fraud, worker’s compensation, arson, etc)• Private Corporations

– Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases

CERT-In 16

Computer Forensics - Objectives

• To identify the digital evidence (should be acceptable in a court of law)

• To investigate and analyse the digital evidence & find the relevant data / documents

• To reconstruct the chain of events • To identify the computer & user (?) responsible

for the crime.

CERT-In 17

Computer Forensic Investigations

Limitation :• Investigation can only identify the system & user-id

through which the cyber crime was performed and not the person, who carried out the cyber crime.

Solution : • Follow security policy strictly• Login Id & Password should not be shared• Have physical access controls• Have video recording & monitoring facility for the

systems with critical importance

CERT-In 18

Computer Forensic Investigation – 2 roles

• First Responder– record the crime site scene– collect volatile evidence– image the disks (??)– contain intrusion (if any)– preserve, protect, pack, seal the evidence– transport for analysis

• Digital Evidence Computer Forensics Examiner (Investigator)

CERT-In 19

Duties of First Responder

To coordinate with –

• Law enforcement Agencies (Police)

• Organisation, management• Forensic Investigator• Court of Law

CERT-In 20

First Responder’s Toolkit

• Log Book– To record all actions /events with date & time

chronologically• Safe Boot CD / Floppy• Digital camera (or cellphone with digicam)• Tools for

– Imaging of media (non volatile data collection)– Volatile data collection

CERT-In 21

First Responder’s Log Book• Timeline of events• Audit trail during collection of evidence• Who is performing the forensic collection?• History of executed forensic tools and

commands• Generated output from forensic tools &

commands• Date & time of executed commands & tools• Expected system changes or effects due to use

of tools

CERT-In 22

Storage Media Forensics

CERT-In 23

Storage Media Forensics

• Storage Media Forensics is the process of acquiring and analyzing the data stored on some form of physical storage media.

– includes recovery of hidden/deleted data/files.

CERT-In 24

• Office files• Deleted files of all

kinds• Encrypted Files• Compressed Files• Hidden Files • Hidden Partitions• Bad File Extensions

• Cache files• Registry• Unallocated Space• File Slack• Metadata• Recycle Bin• Temp files• Hidden Data in files

Storage media to be examined for finding/recovery of relevant evidence in :

CERT-In 25

Computer Forensic Investigation of Digital

Evidence

CERT-In 26

Forensic Examination Process of Digital Evidence

• Acquisition–Imaging & Authentication

• Analysis• Interpretation• Presentation

CERT-In 27

4 Steps of Computer Forensics

Acquisition• Physically or remotely obtaining possession of

the computer, all network mappings from the system, and external physical storage devices

Analysis• This step involves identifying what data could

be recovered and electronically retrieving it by running various Computer Forensic tools and software suites

CERT-In 28

4 Steps of Computer ForensicsInterpretation• Evaluating the information/data recovered to

determine if and how it could be used again the suspect for employment termination or prosecution in court

Presentation• This step involves the presentation of evidence

discovered in a manner which is understood by lawyers, non-technical staff/management, and suitable as evidence in a court of law

CERT-In 29

Digital Evidence : Acquisition

CERT-In 30

Digital Evidence : Search & Seizure

• Formulate Plan• Approach & Secure Crime Scene• Document Crime Scene Layout• Identify suspected system(s)• Seize Evidence• Preserve & Protect Evidence• Pack, Seal & Transport Evidence

CERT-In 31

Seizing of Digital Evidence

• Search Warrant• Legal Authorisation• Case Profile• Evidence Seizure Note• ISP log details• Remote storage locations• Potential evidences• Skill level of users

CERT-In 32

Case Profile Documentation

• How was the incident detected?• What is the scenario of the incident?• What time did the incident occur?• Who or what reported the incident?• What hardware & software are involved?• Who are contacts for the involved personnel?• How critical is the suspicious computer?

CERT-In 33

Handling the digital evidence

• Handle the original evidence as little as possible to avoid changing the data.

• Establish and maintain the chain of custody.

• Documenting everything that has been done.

• Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.

CERT-In 34

Digital Evidence should be -

1. Admissible, conform to legal requirements

2. Authentic, relevant to the case3. Complete, & not just extracts4. Reliable - collected & handled

appropriately5. Believable & understandable

(called 5 rules for electronic evidence)

CERT-In 35

Digital / Electronic Evidence – Why ?

• Wide range of computer crimes and misuses– Non-Business Environment: evidence collected by Law

Enforcement Agencies (LEAs) for crimes relating to: • Theft of trade secrets• Fraud• Extortion• Industrial espionage• Position of pornography• SPAM investigations• Virus/Trojan distribution• Homicide investigations• Intellectual property breaches• Unauthorized use of personal information• Forgery• Perjury

CERT-In 36

• Computer related crime and violations include a range of activities including:– Business Environment:

• Theft of or destruction of intellectual property• Unauthorized activity• Tracking internet browsing habits• Reconstructing Events• Inferring intentions• Selling company bandwidth• Wrongful dismissal claims• Sexual harassment• Software Piracy

Digital / Electronic Evidence – Why ?

CERT-In 37

Digital Evidence - Types

• Volatile Storage (Non-persistent data)Memory loses its contents, if power turned off. RAM (except the CMOS RAM used in BIOS) contents are volatile.

• Non-volatile Storage (Persistent data)No change in memory contents, if power turned off. Tape or disk (magnetic/optical storage), ROM are non-volatile.

CERT-In 38

Order of Volatility of Digital Evidence

1. Registers & Cache2. Routing tables3. ARP Cache4. Process Table5. Kernel statistics &

modules

6. Main memory (RAM)7. Temporary System files8. Secondary Memory9. Router Configuration10.Network Topology

CERT-In 39

Digital Evidence Handling at Crime Site

• Document the Crime Scene - OS (Ver.), BIOS date & time (and difference, if any), H/w & S/w Configuration, IP / MAC address

• Computer System : shutdown / power off ?• Identify Evidence & Authenticate through 32 /

64 bit Hash (CRC, MD5 checksum)• Make Bit-stream copy / image of the seized

storage media

CERT-In 40

Digital Evidence Handling at Crime Site (contd ..)

• Label of all the connecting cables and have photographs

• Document the chain of custody• Preserve the Evidence before packing for

transportation• Securely pack & transport the Evidence to lab

CERT-In 41

• Store the seized org. evidence in a protected storage

• Transfer the Computer System to a locked secure location“Best Practices for Seizing Electronic Evidence Ver. 3” may be downloaded from -http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

Digital Evidence Handling at Crime Site (contd ..)

CERT-In 42

Digital Evidence Handling : Best Practices

• Follow the organisation’s Security Policy• Maintain integrity of org. evidence• Secure the original evidence• Never work on original evidence• Minimise handling of original data & its

corruption • Document the changes noticed, if any and log

all the actions

CERT-In 43

Digital Evidence Handling : Best Practices (contd ..)

• Always backup the discovered information• Document (log) all the investigative activities• Don’t exceed your knowledge• Always remember – you are required to testify in

a court of law• Ensure your actions are repeatable

CERT-In 44

Digital Evidence Handling : Best Practices (contd ..)

• Capture accurate bit image of the original evidence

• Proceed the data collection from volatile to non-volatile evidence

• Don’t shutdown system before collecting volatile evidence

• Don’t run any application on the affected system• Don’t alter the discovered information

CERT-In 45

CERT-In 46

Electronic Evidence : Hard Disk Imaging & Authentication

CERT-In 47

Processing Evidence from Computer Crime Site

• Start the Lab Evidence Log• Mathematically authenticate the Storage

Media (Disk)• Generate Bit stream backup (image) of

the Storage media, hard disk(s), etc.• Proceed with the Forensic Examination

CERT-In 48

Why Create a Duplicate Image?

• A file copy does not recover all data areas of the device for examination

• Examining a live file system changes the state of the evidence (MAC times)

• Working from a duplicate image – Preserves the original evidence– Prevents inadvertent alteration of original evidence during

examination– Allows recreation of the duplicate image if necessary

CERT-In 49

Logical Vs Physical Backup

• What is logical back up?

A logical back up copies the active directories and file of a logical volume. It does not capture other data that may be present on the media such as deleted files or residual data stored in the slackspace.

• What is forensic imaging (physical backup)?

Generating a bit for bit copy of the original media including free space and slack space, also called physical back up.

CERT-In 50

Disk (digital evidence) Imaging• Maintain integrity & security of the org. evidence –

use HW write blockers• Bit by bit copy; no change in the sequence &

location of data – exact replica, but may stored in a different type of media

• Usually done by copying sector by sector• Forensically sound copy of org. of the evidence• Above means – swap file, unallocated space &

file slack is also copied• Time consuming process

CERT-In 51

Disk Imaging Tools Requirements

• The tool should make a bit-stream duplicate or an image of an original disk or partition.

• The tool should not alter the original contents of the disk.

• The tool should be able to verify the integrity of a disk image file.

• The tool should log I/O errors.• The tool’s documentation should be correct.

CERT-In 52

Disk Imaging Hardware

• Forensic mobile field system (MFS)– Laptop with NIC– Portable workstation

CERT-In 53

Points to remember when imaging a hard disk

• Ensure the suspected disk is connected through H/W write blocker.

• The destination disk should be a freshly wiped disk, even if it is new.

• Entire disk imaging is better than partition (Volume) wise imaging.

• Every action should be documented.

CERT-In 54

Disk Write Blockers

• Prevent writing of data to the suspect original drive

• Ensure the integrity of the suspect original drive

• Software Write Blockers v/sHardware Write Blockers

CERT-In 55

Hardware Write Blocker

• A hardware write blocker (HWB) is a hardware device that is physically connected between the computer system and the storage device with the primary purpose of preventing (or ‘blocking’) any inadvertent writing to the storage device.

• Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.

CERT-In 56

Disk Imaging Tools• dd (linux, win)• SafeBack (win)• SnapBack DatArrest• Drive Image Pro• R-Drive Image• FTK’s built-in feature

SW based imaging takes lot of time. To save to use HW based drive imaging equipments

CERT-In 57

Authentication

CERT-In 58

Authentication

• Original evidence, once identified, MUST be used only with write blockers for avoiding inadvertent writing of data to it.

• On acquisition of original evidence, immediately make its forensic image (using write blockers) and compute the MD5 hash value of its image files.

• For making a forensic image / cloning of hard disk (evidence) always use freshly wiped Hard Disk.

• Always make at least two clones of original evidence and authenticate these by verifying their MD5 hash values with that of the original forensic image.

CERT-In 59

Verification of Integrity of Evidence• A hash function is a well-defined mathematical function

for calculating the digest of data (evidence as a file) into a hexadecimal integer. The value returned by a hash function is called hash value, hash code, checksum, message digest or simply hash.

• Like a fingerprint of a file• Can not provide any other detail about the data / file

(evidence)• If evidence is altered in anyway, its hash value will also

change.• MD5 (128 bit), SHA-1 (160 bit)

CERT-In 60

Why data hashing needed?• Digital data is vulnerable to intentional or unintentional

alteration• Integrity of digital evidence is required to be maintained,

starting from seizure till analysis• Forensic examiners have to ensure that digital evidence

is not compromised during the computer forensic analysis process.

• To do this, we need a digitalized tag for managing the digital evidence– A fingerprint of the digital evidence could be a digitalized tag

CERT-In 61

Integrity of Digital Evidence

Integrity check through verification of –

• Message Digest Algo.Ver.5 checksum / hash value – 128 bits (32 Hex Digits)

• SHA – 160 bits (40 Hex Digits)

Proof of Integrity of image of the digital evidence -

Tool : md5sum.exe (win, linux)

> md5sum <filename>

Demonstration

CERT-In 62

CERT-In 63

CERT-In 64

CERT-In 65

CERT-In 66

CERT-In 67

CERT-In 68

CERT-In 69

CERT-In 70

CERT-In 71

CERT-In 72

CERT-In 73

CERT-In 74

Electronic Evidence : Identification

CERT-In 75

Methods of Hiding Data • Watermarking: Hiding data within data

– Information may be hided in any of the file formats.

– Media files with more room for compression are the best-

• Image files (JPEG, GIF)• Sound files (MP3, WAV)• Video files (MPG, AVI)

– Hidden information may be encrypted too– Many tools are freely available online

CERT-In 76

Methods of Hiding Data• Media files contain images, sounds. These

files are exploited using new controversial logical encodings: steganography.

• Steganography: The art of storing information in such a way that its existence is hidden as well as not detectable by a general user.

CERT-In 77

Steganography

Demonstration

CERT-In 78

Methods of Hiding Data• Hard Drive/File System manipulation

– File Slack is the space b/w last byte of a file and first byte of next cluster. Logical end of a file comes before physical end ofthe cluster in which it is stored. The remaining bytes in the cluster are remnants of previously deleted files or directories stored in that cluster.

• File Slack can be accessed and written using a hex editor or a tool.

• This does not change “used space” information of the drive, dir or file

– Partition waste space is the rest of the unused track on which the boot sector is stored on – usually 10s, possibly 100s of sectors are skipped

• After the boot sector, the rest of the track is left empty

CERT-In 79

File Slack

• Green : Space used by file for data storage (Sectors 1 to 5).

• Red : Unused sectors in the last cluster. File Slack or Slack Space (Sectors 6 to 8)

• Blue : RAM Slack (Sector 5)

(1 Cluster = 8 Sectors = 8 * 512 Bytes = 4096 Bytes = 4 KB; i.e. min. size of a file in NTFS on a hard disk)

CERT-In 80

Tool

• Slacker– For hiding a file in slack space>slacker –s <filename> <metadata>

– For restoring a file from slack space>slacker –r <metadata>

CERT-In 81

Methods of Hiding Data• Hard Drive/File System manipulation cont…

– Hidden drive space is non-partitioned space in-between partitions

• The File Allocation Table (FAT) is modified to remove any reference to the non-partitioned space

• The address of the sectors must be known in order to read/write information to them

– Bad sectors occur when the OS attempts to read info from a sector unsuccessfully. After a (specified) # of unsuccessful tries, it copies (if possible) the information to another sectorand marks (flags) the sector as bad so it is not read from / written to again

• users can control the flagging of bad sectors• Flagged sectors can be read to / written from with direct

reads and writes using a hex editor

CERT-In 82

Methods of Hiding Data• Hard Drive/File System manipulation

cont…– Extra Tracks: most hard disks have more than the

rated # of tracks to make up for flaws in manufacturing (to keep from being thrown away because failure to meet minimum #).

• Usually not required or used, but with direct (hex editor) reads and writes, they can be used to hide/read data

– Change file names and extensions – i.e. rename a .doc file to a .dll file

CERT-In 83

Host Protected Area (HPA)

• The Host Protected Area is a special area of the disk that can be used to save data.

• The size of this area can be configurable using ATA commands

• Many disks have size of 0 by default• HPA introduced in ATA-4• Generally used to store Vendor Information, that

can not be erased by user when they format the DISK

CERT-In 84

Host Protected Area (HPA)• HPA can be set at the end of the disk• 1 GB is Host Protected Area

CERT-In 85

Device Configuration Overlay (DCO)

• In addition to HPA, data can also be hidden using DCO.

• Introduced in ATA-6

CERT-In 86

DCO

CERT-In 87

NTFS : Alternate Data Streams (ADS)

• NTFS supports multiple streams of data, ADS, to store file details

• Added to NTFS for supporting Mac Hierarchical FS• Files can be hidden in ADS, but mostly undetected• Allows multiple files (streams) to be attached to ANY

file• Windows does not have any built in tool for listing

ADS– Files stored in an ADS will not show up in listings– File size of carrier does not show an increase

CERT-In 88

ADS - Characteristics• ADS have no attributes of their own• The Streams can only be executed if called directly by a

program with full path to the file given.• None of the Internet protocols enabling file transfer such as

SMTP, FTP etc. support streams. This means that ADS can't be sent via Internet. However, files containing ADS can be sent across a local LAN provided the target drive is in the NTFS format.

• In certain cases, streams have been used to remotely exploit a web server. Some web servers are susceptible to having their file source read via the: $DATA stream. If a server side script such as PHP or ASP is running on a web server which is not patched properly, instead of getting output as a result of processing the script, the source code of the ASP/PHP file could be viewed by using a URL like this: – http://www.abcd.com/index.asp::$DATA

CERT-In 89

Creating & Executing ADS• Type (command to create ADS)

C:\>type notepad.exe>try.txt:virus.exe(To create an ADS file virus.exe and attached it to the file try.txt. In the directory you will just see try.txt, and not virus.exe. Run LADS, and you will see the ADS.)

• Start (command to execute ADS, FoundStone)C:\>start /B try.txt:virus.exeImp. note: The /B option allows the attacker to run the command without spawning a new window (which could alert the user that something is going on without his knowledge)

– As you can see from the snapshot, there is no change in the size of the try.txt. The only visible change is in the modification date and time of the try.txt program which is overlooked by many users

89

CERT-In 90

List the ADSC:\test>lads c:\ (http://www.heysoft.de)

- Displays all the ADS files created in this folder

CERT-In 91

LNS • List NTFS Streams

(http://ntsecurity.nu/toolbox/lns/)• LNS is a tool that searches for NTFS streams

(alternate data streams or multiple data streams). This can be useful in a forensic investigation.

CERT-In 92

SFind (Foundstone)

• SFind scans the disk for hidden data streams and lists the last access times.

CERT-In 93

Other ADS Detecting Tools

• Streams (SysInternals) – Works same as LADSC:\>streams –s c:\

• Crucial ADS• ADS Detector (a plug in for Internet Explorer)• ScanADS (Kodeit)

CERT-In 94

ADS Spy

CERT-In 95

Hijackthis• Hijackthis is an award winning tool which examines certain key areas of

the Registry and Hard Drive and lists their contents.• Hijackthis includes many other tools such as StartupList log, Ads Spy,

Hosts file manager, etc. which make it one great tool for any administrator. (http://www.merijn.org/files/hijackthis.zip)

CERT-In 96

Deleting ADS from a file

• An ADS attached to a file can be removed by using the following methods:1. Using tools such as ADS Spy, Hijackthis,

Streams.exe, or from the streams tab in the properties window of a file

2. Copying the file to a Non-NTFS file system such as FAT32 which does not support ADS

3. Moving the contents of the main unnamed stream into another file by using the following command:c:\>ren file.txt try.txtc:\>type try.txt>file.txtc:\>del try.txt

CERT-In 97

Electronic Evidence : Analysis

CERT-In 98

While Examining Digital Evidence -

• Trust none - Verify all & everything• Never rely on a single tool. Use multiple tools to

cross-validate the results• Follow organisation’s Security Policy• Always backup the discovered information• Never exceed your knowledge• Always remember that you are required to

testify in a court of law• Ensure that your actions are repeatable

CERT-In 99

Evidence Examination

• Preparation• Extraction

– Physical– Logical

• Analysis of extracted data– Timeframe Analysis– Data hiding Analysis– Application & file analysis– Ownership & possession

• Conclusion

CERT-In 100

Analysis of Digital Evidence

• Analysis of data on storage media• Discovery/cracking of passwords• Keyword searches• Extracting emails• Extracting picture files

CERT-In 101

Objectives of Evidence Analysis

• Whether system user exceeded or abused his access privileges ?

• Whether the specific system transaction was made during the given period of time & who did it ?

• Accounting for the activities of user(s) on the system during the given period of time

• Tracking of e-mail message(s) back to its source

CERT-In 102

Methodology for Evidence Analysis1. Refer the case profile & make a list of relevant keywords2. Evaluate all log files (including Firewall, IDS, Router, etc,

as applicable)3. Upgrade the list of relevant keywords based on the

above4. Search the evidence for keywords5. Keyword Search Results - Document the file names with

date & time6. Update the list of keywords based on data in relevant

files & Go to 47. Record all - observed v/s expected files, folders,

binaries, www data, emails, file conditions, etc.

CERT-In 103

Digital Evidence : Analysis

• Manual analysis of encrypted, compressed and graphics files

• Have more than one copy of the bit stream image of storage media for analysis / examination

• Applications (executable files) – run & learn their purpose. (Destructive processes ?)

• Recycle Bin / Trash

CERT-In 104

Digital Evidence : Analysis

• Discover & evaluate swap, temp / tmp, file slack, meta-data and artifacts

• Explore & evaluate all allocated as well as unallocated space (for recovery of hidden / deleted files / partitions) in the bit stream image through tool.

• Never go beyond the task assigned

CERT-In 105

Password Discovery Tools• Asterisk Logger• AsterWin IE• Network Password Recovery• Protected Storage PassView• Passware• MessenPass (for IM)• Mail PassView (e-mail)• Brute Force• AccessData FTK• Rainbow Tables

CERT-In 106

Password Cracking

• Zip files• Doc files• Xls files• Pdf files

Demonstration

CERT-In 107

Digital Evidence Analysis Strategy

• It is better to analyse the digital evidence in an isolated virtual environment, such as VMWare

• Have vmware image of 2-3 most used operating systems (e.g. win, linux)

• Only 1 case should be analysed on 1 virtual machine

• A system may have more than 1 virtual machine of same or diff. OS

CERT-In 108

Windows Registry• Some applications’ password are stored there• Some SW applications register name, company, license,

address and time/date of installation• Uninstallation of a program leave forensic ‘residue’• Browser settings• Registry keys

– Used by various malware– The ubiquitous "Run" Key– Services

• ClearPagefileAtShutdown Registry Key• StartUp directories

CERT-In 109

Forensic Analysis on Registry Analysis• contain important information such as :

– Usernames and Passwords for programs, e-mails, IP Address and Internet sites

– A history of internet sites accessed, including date, time and queries.

– List of recently accessed files– A list of software installed in the system.

• The registry information primarily stores in windows XP and 2000 in the following files.– SAM– SYSTEM– SECURITY– SOFTWARE– NTUSER.DAT

These files may be seen in the folder \windows\system32\config\

CERT-In 110

What is Windows Registry?

• Windows Registry– is a central hierarchical database used in MS

Windows systems– has many system configuration information

• hardware�software settings / installed device driver

• Computer forensics analyst– can discover a lot of information pertaining to the

suspect

CERT-In 111

Registry: A Wealth of Information

Information that can be recovered include:– System Configuration– Devices on the System– User Names– Personal Settings and Browser Preferences– Web Browsing Activity– Files Opened– Programs Executed– Passwords

111

CERT-In 112

History of Registry

• DOS– config.sys / autoexec.bat

• Windows 3.0– program.ini / control.ini / win.ini / system.ini

• Windows 3.1– included 1st Windows registration table

• Since Windows NT– NT Registry (more flexible & capable)

112

CERT-In 113

NT Registry

• Windows XP has 5 registry files– HKEY_CLASSES_ROOT (HKCS)– HKEY_CURRENT_USERS (HKCU)– HKEY_LOCAL_MACHINE (HKLM)– HKEY_USERS (HKU)– HKEY_CURRENT_CONFIG (HKCC)

113

CERT-In 114

Windows Registry Hives

• Windows Registry’s path on Windows XP – %SystemRoot%system32%config

114

Registry Hives Related files

HKEY_LOCAL_MACHINE/SAM Sam, Sam.log

HKEY_LOCAL_MACHINE/Security Security, Security.log, Security.sav

HKEY_LOCAL_MACHINE/System System, System.alt, System.log, System.sav

HKYE_CURRENT_CONFIG System, System.alt, System.log, System.sav, NTUser.dat, NTUser.dat.log

HKEY_USERS/DEFAULT Default, Default.log, Default.savHKEY_CURRENT_USER

HKEY_USERS/[SID] NTUser.dat, NTUser.dat.log

CERT-In 115

Registry Managing Tools

• Regmon : http://www.sysinternals.com• WinResCue : http://www.superwin.com• Crawler : http://www.4developers.com• Tweak : http://www.jockesoft.com• Winboost : http://www.magellass.com• Reganal : http://www.balwork.com

115

CERT-In 116

Registry Organization

116

CERT-In 117

Typed URLs – Internet Explorer

117

CERT-In 118

Registry Forensics

• Yahoo messenger– Chat rooms– Alternate user identities– Last logged in user– Encrypted password– Recent contacts– Registered screen names

CERT-In 119

Registry Forensics

• System:– Computer name– Dynamic disks– Install dates– Last user logged in– Mounted devices – Windows OS product key– Registered owner– Programs run automatically– System’s USB devices

CERT-In 120

USB Devices

120

CERT-In 121

Winzip – list of files extracted

121

CERT-In 122

Recently opened Applications

122

CERT-In 123

Recently download / saved file

123

CERT-In 124

Windows Information

• HKLM\Software\Microsoft\Windows NT\CurrentVersion• This key contains information about installed software

and Windows– CSDVersion : installed service pack– InstallDate : Windows’ install date

• Unix 32 bit Hex Value – Big Endian

– PathName & SystemRoot : Windows’ installed path– ProductID & ProductName : Microsoft Product ID– RegisteredOwner– RegisteredOrganization– Network Cards

124

CERT-In 125

Install date & OS Version

125

CERT-In 126

System Configuration Registry

• HKLM/System– Need to find the current system control registry key

to see the user’s configuration setting– ControlSet00x : system configuration setting subkey– MountedDevices, used by Logical Disk Manager, has

all the known volumes– Select subkey remembers which control sets exist on

the machine

126

CERT-In 127

Time Zone Information

127

CERT-In 128

Windows Shut Down Time

• HKLM/System/ControlSet00x/Control/Windows– Information related to Windows– ShutdownTime : Windows shut down time– Windows 64Bit Date & Time (Little Endian)

128

CERT-In 129

System Time Information

• To verify the system time, checking BIOS time take precedence over the others

• System time is depend on BIOS time• Procedure of confirming the system installed date and

shut down time– To check BIOS time after power-on– To confirm the current control set in the registry– To verify the Time Zone Information– To identify install date and shutdown time

129

CERT-In 130

IP address & MAC address

• HKLM/System/ControlSet00x/Services/CLSID/Parameters/ Tcpip– DefaultGateway / IPAddress

• HKLM/Software/Microsoft/Windows NT/ CurrentVersion/ NetworkCards– Network card information installed on the system– ServiceName specifies which driver runs the card

• HKLM/System/MountedDevices– \??\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}– Last 12 digits is MAC address

130

CERT-In 131131

CERT-In 132

Auto Run Program Information• The programs which run automatically without user’s

permission whenever the system boots may be malicious• HKLM/Software/Microsoft/Windows/CurrentVersion/Run

– This key specifies programs to run when Windows start• HKLM/Software/Microsoft/Windows NT/CurrentVersion/

Windows– AppInit_DLLs : .dll files run when GUI application program runs– Malicious attacker can run .dll files which he wants without

announcing the user

132

CERT-In 133

External Storage Information

• HKLM/System/ControlSet00x/Enum/IDE– This key contains information about storage devices connected via IDE

cable– Key includes manufacturers and model number

• HKLM/System/ControlSet00x/Enum/USBSTOR– This key contains information about storage devices connected via USB port– [Device Type]&Ven_[Vendor]&Prod_[Product ID]&Rev[Version]– Example : Disk&Ven_ALTECH&Prod_AnyDrive2.0&Rev_2.00

• HKLM/System/ControlSet00x/Enum/USB– This key contains information about devices connected via USB port

133

CERT-In 134

Windows XP Registry• Earlier in win.ini, system.ini• Located in %SystemRoot%\system32\• Organised in 5 sections – termed ‘Hives’• Each hive has keys and subkeys, which contain a value entry• Each value entry has a name, data type and value• Windows XP Registry Hives

– HKEY_CLASSES_ROOT (file name-OLE-streams)– HKEY_CURRENT_USER (sid-user-desktop)– HKEY_LOCAL_MACHINE (configuration, memory, last

boot)– HKEY_USERS (all user account profiles)– HKEY_CURRENT_CONFIG (running image)

• Note about .SAV files

CERT-In 135

Computer Forensic Tool Kits (FTK)

• Provides integrated Graphics User Interface (GUI) to the set of tools used in FTK

• Ease of use, follows the steps in sequence• Investigator need not bother about tools & their

usage syntax, results & documentation

CERT-In 136

Toolkit Features• Imaging • Integrity/Authentication through hash

value• Deleted files• Files with bad extension• Files with Slack • Encrypted/compressed files• Display of file contents• Display of file contents in hex format• Report preparation

CERT-In 137

Computer Forensic Tool Kits

•CyberCheck Suite (C-DAC) : Commercial•EnCase (Guidance) : Commercial•FTK (AccessData) : Commercial•Helix : Freeware•Autopsy (GUI) + Sleuth Kit : Freeware•TCT (The Coroner’s Toolkit) : Freeware•Knoppix STD : Freeware•ProDiscover : Commercial

CERT-In 138

CERT-In 139

CERT-In 140

CERT-In 141

Reporting / Presentation of the findings

CERT-In 142

Documentation & Reporting

• Case Profile• Objective• Computer System

Details• Offenses• Investigated by• Examined at• Tools used

CERT-In 143

• Processing– Assessment– Imaging– Analysis– Findings

• Conclusion• Summary• Glossary

Documentation & Reporting(cont’d …)

CERT-In 144

Entries to be included in the Report…

• Ensure the report should be addressed to the case forwarding agency’s address.

• Details about the Chain of Custody i.e. when, who, what , etc,. the case is registered, seized and forwarded to the forensic laboratory

• Number of total pages of the Report including annexure like Glossary, hard copies of vital evidences

CERT-In 145


• Details about received suspected media– i.e. Forensic Lab Marking of Exhibits (Suspected

Media).– Make of the Exhibits.– Model of the Exhibits– Serial number of the Exhibits.– Capacity / Size of Exhibits– Interface of the Exhibits (IDE, SATA, IDE1.5 (laptop

hard disk, SSD (Solid State Disk; Flash memory tech)

CERT-In 146

Hard disk Information

CERT-In 147


• Details about Sterile disk, i.e. Markings on Sterile (or new) hard disk.– Make of the Sterile disk.– Model of the Sterile disk. – Serial number of the Sterile disk.– Capacity / Size of the Sterile disk.– Cylinders, Heads, sectors, etc.

CERT-In 148


• How Imaging was carried out– Whether offline or through RJ45 cross cable (network

acquisition) using NIC.– Whether Hardware write-blocker was used (for

connecting the suspected disk) or not.– Jumper position of the both hard disks (suspected and

sterile).

CERT-In 149


• Disk details report which includes– Complete Hard Drive (suspected Media) Information.– Volumes (No. of Partitions) Information.– Label name of the Volumes.– Used space and Unused space, and etc,.– File Systems, Type and version of OS.

CERT-In 150

Disk Report -1

CERT-In 151

Disk Report (Partition)-2

CERT-In 152


• If softcopy provided to the Investigation agency then details about– What are the files and their names– File Attributes (metadata).– CD/DVD make, Serial numbers, label name and

should be signed by the forensic investigator.– Ensure that multisession writing facility for CD/DVD is

disabled.

CERT-In 153


• If Encrypted (password protected) files found then – Number of the Files– Name of the Files– Passwords of concern Files if able to recover– List of the un-recover passwords files.– File path in the Hard disks.– Page no. of concern encrypted file could be found

from the annexure.

CERT-In 154


• What are the Forensic Software tools have been used…– Name of the Software tool.– Should be legally licensed.– It’s Version.– Manufacturer’s address.– Details about Third party tools and their versions.– Examples: Encase, FTK, Cyber Check Suite, Helix, Email

Examiner, Email Tracer, WFA, WFT, Resource Hacker and etc,.

CERT-In 155


• Mention the current date if NOT matches with system date (suspected media).

• If Difference is encountered then photograph BIOS screen and same is enclosed in the report also

• The page number of concern issue.

CERT-In 156

Log Files of Case Analysis

• While analyzing the case, the Log files (Audit trail) is automatically created by FTKs.

• Hard copy of these files should be included and entry should be made in the report.

• Ex: FTK analysis, Helix System information, Physical memory acquisition and etc,.

CERT-In 157

Glossary in the Report

• Glossary of technical terms, easily understandable by the police / judiciary, should be enclosed with the report and same should be mentioned in the report

• Page numbers of Glossary of the Technical Terms

• Ex: Unallocated space, Slack space, IMEI, ESN, IMSI, MSISDN, MMS, Deleted, Archive, overwritten, etc.

CERT-In 158

Status about Exhibits

• How was the condition of the exhibits at the time of receipt in the forensic laboratory.

• Whether it was in good (sealed) condition or not.• The entries should be made, if the exhibits were

physically damaged. If so, its photograph showing physical damage should be attached.

CERT-In 159

Entries on damaged EXHIBITS

• Details about Not examined exhibits.

• Technical reasons, why examination could not be possible -Example: Spindle rotation, Circuit problem, Physically damaged or any other reasons.

CERT-In 160

Entries on Forensic Analysis - 1

• Log files• System files• User created files• Recovered folders• Unallocated space• Slack space• cookies

CERT-In 161

Entries on Forensic Analysis - 2• Temporary Internet files• Web cache• Chat files• Email communications &

Attachments• Encrypted files• Picture files• Mpeg or Media files

CERT-In 162


• Registry analysis• IP address• MAC address• Mounted devices• Pirated Movies, songs• Pirated Software• Executable files (.exe)

and Library (.dll) files

CERT-In 163


• Pornography• Obscene Pictures• Child Pornography• Cyber stalking• Cyber squatting• Web Jacking• User ID’s and

Passwords and etc,.

CERT-In 164

Report on Anti Forensics

• Name of software like File Shredder• Wiping Tools• Formatted dates• Operating system installed dates• Steganography• Encrypted files and • Complete Installed software list

CERT-In 165

Courtroom Preparations & Evidence Rules

• Take the time to acquire a basic working knowledge of the technical aspects of digital evidence in general

• Allow enough time to master the specific technical details of the case at hand.

• Evidentiary issues : Authentication and hearsay that arise in connection with digital evidence.

CERT-In 166

The Report should …

• Present an understandable theory based on the analysis & interpretations; and try to bring out the facts.

• Clarify the nature of the technological issues.– Is the electronic evidence associated with a ‘high

technology’ crime.

CERT-In 167


• Identify & explain the source and nature of the digital evidence in the case.– Are the computers storage for evidence of crime or

are they contraband (illegal imports, smuggled goods) evidence.

– What hardware, software, operating system and system configurations were used by victim or accused.

– Was the evidence found on a stand-alone personal computer or a network.

CERT-In 168


• include the hard copy of email messages or other digital evidence, which is to be presented in the court

• Analysis Report & Interpretation may be a voluminous document, for which a executive summary should also be provided.

CERT-In 169

Presenting the Evidence in the court room

• Have clean copies of exhibits• Provide documents regarding seizure of exhibits• Ensure adequate set-up time• Ensure stand-by-mode, sound and screen

savers are deactivated in the PC system.• Remember where equipment were left off at last

break.• Remember to protect the court room record with

descriptions of referenced exhibits.

CERT-In 170

BIOS Mismatches

Intel Duo 2 1.8 Ghz16:03:3324/06/2008

Floppy, CD,HDD512 MB16:03:3324/06/2008BIOS

Boot sequenceMemorySystem

TimeSystem Date

CERT-In 171

Supporting Materials

• List of Supporting Materials– That are included with the report,

such as hardcopy of particular items of Evidence, digital copies of evidence (CD), and Chain of Custody Documentation.

CERT-In 172

Analysis of the evidence image : A Sample Case Study (Scan 24)

A USB pen drive along with the narcotics has been seized by police from a person, who was supplying narcotics to students of schools in a locality. Seized data storage media is to be analysed for evidence for police to find some supporting document for rejection of the bail application of the accused

Demonstration

CERT-In 173

Anti-Forensics : Challenges ?

• Rootkits based cyber crimes• Tools on RAM (Diskless)• Disk sanitisers (Wipe, Cipher) • Compressed files with password• Encrypted files with password• Evidence Eliminator Applications• Windows Washer Application

CERT-In 174

Anti-Forensics

• Backdoors, e.g. ‘Santa’ (Remote Desktop Access)

• Cleaning the Registry – regedit• Disk Scrubbers – Secure Delete• Hidden, inactive or encrypted Partitions• Special RAM based PCs• Special Steganography tools

CERT-In 175

SSteganography & Steganalysis- Deployment Scenario

Algo. – Unknown (like password)

Message

Cover

Algo.

Stegano-graphy

Encoder

StegoObj-ect

Detec-tion

Extraction&

Reconstru-ction of message

User 1 User 2

Difficulties in Steganalysis :Org. Cover not available,

Stego-key / Algorithm not known

Message – Plain text, cipher text

Cover – Image, audio or video file

Forensic objectives

Suspected IP Addresses

Courtsey : C-DAC, Kolkata

CERT-In 176

Image before hiding

Image after hiding

LSB pattern before hiding

LSB pattern after hiding

Message embedding sometimes introduces random noise, which changes statistical property of images.

IIntroduction to Steganalysis

Here the randomness of LSB pattern has been increased after hiding

The increase in LSB (Least Significant Bit) may act as a clue for steganalysis. Courtsey : C-DAC, Kolkata

CERT-In 177

Original

Tampered

LSB of Original

LSB of tampered

The role of steganalysis is to inspect suspected packages, determine whether or not they have a payload of encoded information into them, and, if possible, recover that payload.

IIntroduction to Steganalysis

Original and Tampered images are visually identical

Least Significant Bits (LSBs) where message bits are hidden

Contd..Courtsey : C-DAC, Kolkata

CERT-In 178

References

• “Electronic Crime Scene Investigation – A Guide for First Responders” by National Institute of Justice, USA; (http://www.ojp.usdoj.gov/nij)

• “Forensic Examination of Digital Evidence : A guide for Law Enforcement” by National Institute of Justice, USA; (http://www.ojp.usdoj.gov/nij)

• “Forensics – Tools”; http://www.forinsect.de/index.html• “Collecting Electronic Evidence After a System

Compromise” by Matthew Braid, SANS Security Essentials.

CERT-In 179

References (contd..)

• “Computer Forensics – An Overview” by Dorothy A. Lunn, SANS Institute; http://www.giac.org/practical/ gsec/Dorothy_Lunn_GSEC.pdf

• “Manual for Investigation of Computer Related Crimes” by Ashok Dohare

• Course Contents : SANS SEC508• HoneyNet Project Website – Computer Forensics

Challenges• “File System Forensic Analysis” by Brian Carrier

(Addison Wesley)

CERT-In 180

CERT-In 181

Documents

Computer Forensics - Computer Emergency Response Team