Computer Forensics

Peter Caggiano

Outline

My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How to enter the field Questions?

Background

Stockton College BS Computer Science Minor in Mathematics

The George Washington University MS Computer Science Concentrations:

Information Assurance Computer Forensics

Work Experience

PG Lewis & Associates Corporate Forensics and Data Recovery

Department of State Computer Investigations and Forensics

Nuclear Regulatory Commission Office of the Inspector General

Computer Forensics

Computer forensics is the discipline of acquiring, preserving, identifying and examining digital media

The application of computer science and mathematics to the reliable and unbiased collection, analysis, interpretation and presentation of digital evidence.

What Is Computer Forensics?

Is often more of an art, than a science. Follows clear, well-defined

methodologies. Uses the same basic techniques as

other forensics areas.

What Forensics Can Do

High tech investigations Incident response Email recovery and analysis Document and file discovery Data collecting

While still preserving MAC times Other volatile data

What Forensics Can Do Uncover and document evidence and

leads Corroborate other evidence Assist in showing patterns of events Connect computers and people Reveal an end-to-end path of events

leading to a compromise attempt, successful or not

Extract data that may be hidden, deleted or otherwise not directly available

What Forensics Can’t Do

Create evidence Tie the suspect to the incident

Only system or profile Prove innocence or guilt Be instantaneous

Goals

Details of investigation will depend on the circumstances and goals, but the steps are always the same.

Goals: Support Law Enforcement To determine the root case of an event to

prevent re-occurrence Re-construct the series of events surrounding the

incident Assist in more types of investigations than just

digital

Evidence

All forms of digital media Hard drives CD’s Floppy disks USB drives Flash memory Tape drives Cameras Etc.

Evidence Categories Beyond Hard Drives Logs

Managing devices Hosts/systems Servers

Interviews Involved personnel Business and

technical managers Device

configuration files

Network maps Event observation

timelines Notes

Meetings Passwords

Response team notes and observations

Types of Forensics

Traditional vs.

Incident Response

Basic Methodology

Identification Preparation Approach strategy Preservation Collection Examination Analysis Presentation Returning evidence

Traditional Forensics

Referred to as ‘Dead’ Forensics Analysis done in a ‘Post Mortem’ state

After the system has lost power Two basic rules

Harm Nothing Preserve Everything

Harm Nothing

Writeblocker (Hardware, Firmware, Software) Preserves the integrity of the original

evidence Work of a ‘Forensic Image’ of original

evidence, never original evidence Don’t handle original evidence longer

than it needs to be

Forensic Image

An exact, bit by bit copy of a piece of media without altering the original data.

Includes slack space, unallocated, and hidden partitions.

Preserves MAC times An exact “snapshot” of the hard drive

at that given time

Writeblockers

Hardware Only true hardware writeblocker is the

Floppy tab Firmware

Intermediate device between the evidence and the system

Intercepts the write signal from the system and prevents any alteration of data

Software Secure Linux environment Connecting file systems as ‘Read Only’ to

the system HFS partition connected to a Windows system

Preserve Everything

Contact system administrators Data can be on remote servers

Image entire disks not just volumes Physical vs. Logical layer

Image all peripheral media

Common tools

MacForensicsLab FTK EnCase iLook Pro Discover Many specialized tools

Incident Response

Also known as Live Forensics Growing field because of the

expanding roll of networks Vital to preserve volatile data Unlike Traditional Forensics, original

evidence must be altered To retrieve needed data, must use the

system in question

What Incident Response Can Do

Show a path that the intruder took over the network

Reveal intermediate intrusions Preserve data that would be lost

during Tradition Forensic Investigations

Create leads to expand investigation

What Incident Response Can’t Do Solve the case alone

Traditional Forensics is still needed Tie the suspect to the attack

Only system Create data that is not present

Collecting the evidence

Information gathering Volatile memory and configurations

Enumerating Files or ambient data

Compromised system Attack system

Log entries in intermediate devices

What to look for

Footprinting Files or ambient data on attack computer

and log entries in intermediate devices

Probing for weaknesses Files or ambient data on attack computer Log entries

Intermediate devices Compromised system

Tools

Mostly open source tools Helix

Live Linux environment and response suite

Backtrack Network mapping and penetration (if

needed) Custom batch and script files

Big Picture

Use all the data collected to tie all the events together in support of the overall investigation.

Future Problems

Large data sets Steganography Cell phones PDA’s Encryption

How to enter the field

Law Enforcement Mostly point and click Don’t always understand the technical

side Technical

Don’t understand the entire scope of the investigation

Understands the ‘behind the scene’ actions of the tools

Forensic Analyst Requires Knowledge of

Computer Hardware and Software Operating Systems File Systems Special “Forensics” Hardware and

Software Networks General technical support

Preparation from Stockton

Technical support Programming Computer security basics Analytical approach Networks Sound fundamentals

Preparation from GW

SFS Scholarship Hands on forensic practical In-depth computer security Network security practices Hacking

SFS Scholarship www.sfs.opm.gov

Roughly 15 schools nationwide Pay for up to 2 years of school Pay you to go to school

NSA Center of Excellence Concentrate in all areas of computer security Not all centers are scholarship schools

In return: 1 to 1 Years of education to government

employment

Questions?

Contact Information

Peter Caggiano908.581.3630

caggiano.pa@gmail.com