Embed Size (px)
Citation preview
0011 0010 1010 1101 0001 0100 1011
Digital ForensicsLecture 5
DF Analysis Techniques
0011 0010 1010 1101 0001 0100 1011
Current, Relevant Topics
• Wells Fargo is notifying an unspecified number of employees that their personal data, including names, Social Security numbers (SSNs), as well as some health insurance and prescription drug information, may have been compromised following the theft of a laptop computer…
• …did not comply with established policies for safeguarding sensitive data. The company no longer works for Wells Fargo.
Computerworld.com
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Samuel Ashmore: File Encoding and Detection • Samuel Ashmore: Encryption and Password
Recovery (EC) • Earl Eiland: Timeline Analysis • Mayuri Shakamuri: Data Mining for Digital
Forensics (EC)• Sage LaTorra: Steganography Detection (EC) • Ryan Ware: File Extension Renaming and
Signaturing (EC)
0011 0010 1010 1101 0001 0100 1011
Next Week’s Presentations
• Moses Schwartz: Email Analysis -Client and Web
• Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
0011 0010 1010 1101 0001 0100 1011
Our Goal is to Begin to Develop Solid and Lasting Analytical Skills
• We will explore the factors that drive the need for data analysis
• We will begin to understand the process of data analysis and the bounds of accuracy
• We will present a few approaches and tools• We will attempt to develop an instinct for
one approach over another• This will require a greater degree of class
participation• Where there are blanks, you will be
expected to contribute
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Brainstorming session• Investigation centric analysis• Data centric analysis• General tools and methods
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Module 1
Brainstorming Session
0011 0010 1010 1101 0001 0100 1011
Rules
• Dialogue not debate– Seek understanding– Ask questions from a point of true curiosity– Spend less time thinking about your own idea
and more time actively listening– Build on ideas to strengthen them
• Share your ideas– Write them down and pass them forward if you
chose not to speak up
0011 0010 1010 1101 0001 0100 1011
Brainstorming Topic• Pick a crime or offense to be investigated
– Broad or specific, your choice– E.g., corporate data theft, illegal wiretapping, kidnapping,
terrorism, system intrusion, phishing, identity theft, etc.
• Attempt to answer these questions:– How can DF be used in the investigation?– What data are available?– How “good” are the data?– How can the data be analyzed to find truth?– What tools can make the job easier?– What preparation and collection might help?
0011 0010 1010 1101 0001 0100 1011
Module 2
Investigation Centric Analysis
0011 0010 1010 1101 0001 0100 1011
Motivation
• An investigation-centric view is extremely useful in defining the analysis goals and methods
• Our brainstorming session was guided by a piece of the investigation context (crime)
• Data almost always exists in an investigative context– Possession of digital contraband, kidnapping,
insider trading, etc.• Details of the investigation allow analysts to
focus on certain data types, content, and relationships
0011 0010 1010 1101 0001 0100 1011
Digital Forensic Goal is to Move From the Specific to the Abstract
Data
Encoding Method(e.g., ASCII, bin)
Organization(e.g., Timeline)
Context(e.g., Exploit)
Relationship(e.g., Correlation)
Relevance(e.g., Coincidence)
Knowledge/Ability
Motivation/Intent
HumanComponent
InformationComponent
Truth
Increasing Abstraction
0011 0010 1010 1101 0001 0100 1011
Types of Investigations(based on role/duty)
• Criminal (law enforcement)– Examples: murder, fraud, digital contraband
• Corporate (corp. employee)– Examples: network intrusion, data theft, etc.
• Private (self or private investigator)– Example: marital infidelity
• ________– ________
0011 0010 1010 1101 0001 0100 1011
Each Type of Investigation Has Significant and Subtle Differences
• Sources of data– Available data?– Unavailable data?– Quality of data (related to the investigation)?
• Questions to be answered• Required quality of results• Availability and coupling with other
investigative efforts
Remember: All this is guided by law and policy
0011 0010 1010 1101 0001 0100 1011
Module 3
Data Centric Analysis
0011 0010 1010 1101 0001 0100 1011
Motivation
• Once the investigative goals, context, and details are understood, certain types of data lend themselves to specific analysis methods
• There are limits on the bounds of accuracy in the digital world, as in the physical world
• Technology presents more data analysis challenges than solutions
0011 0010 1010 1101 0001 0100 1011
General Approach
• Obtain a clear understanding of the investigative goals, context, and details
• Think through possible sources of data– As in the brainstorming session
• Collect and preserve data• Develop a strategy for data analysis• Perform analysis
0011 0010 1010 1101 0001 0100 1011
Potential Sources of Digital Data• Computers (end devices)
– HDD, FDD, Memory, Flash Devices, input/output devices, support chipsets, etc.
• Networks (communication systems)– Logs, routes, ISP configuration, switch tables,
network management, etc.• Many others
– Cell phones, PDAs, pagers, printers, BlackBerry, GPS, smart cards, traffic management systems, automobile computers, point of sale terminals, telephone logs, etc.
• ____________________
0011 0010 1010 1101 0001 0100 1011
Limits to the Quality of Data
• Non-exclusive access to digital systems• Existence of botnets and zombie machines• Lack of Internet attribution and identity
management• Easy replication and fabrication of data• Unclear language and language differences• Missing network packets• _________________• _________________
Access. Social. Technical. Identity. Incomplete Measurement. Others?
0011 0010 1010 1101 0001 0100 1011
Storage Media Analysis (1 of 3)“media analysis”
• Data from storage media– Volume data– Files– File meta data– Slack space and file slacks (win95)– Unallocated space
• Deleted files– Space not assigned to a volume– ________
MBC MPT
0011 0010 1010 1101 0001 0100 1011
Storage Media Analysis (2 of 3)• Volumes
– Accounting for all disk blocks– Recover deleted partitions– Investigate un-partitioned space– Investigate volume meta-data regions
• File system– Analysis of file organization
• _________– Types of files
• _________– Files of interest
• _________– File meta data (time lines)
• _________– Misnamed files
• _________– ________
0011 0010 1010 1101 0001 0100 1011
Storage Media Analysis (3 of 3)
• Deleted files– ________
• Slack space– ________
• Unallocated space– ________
0011 0010 1010 1101 0001 0100 1011
Cell Phones
• Call logs• Contacts• Text messages• Pictures• Geo-location over time• ________
0011 0010 1010 1101 0001 0100 1011
Network Data• Active connections
– Client or server– Protocol– Address– Nature of data– Duration of connection
• Logs– ________
• Looking for indications of malicious insider activity• Attempting to measure impact of crime
0011 0010 1010 1101 0001 0100 1011
Live System Data
• Encase Enterprise• Windows registry• Open network connections• Running processes• ________
0011 0010 1010 1101 0001 0100 1011
Places for data to hide on a HDD(non-exhaustive list)
• Physical Media– Areas allocated for diagnostics– Residual magnetic impressions (due to jitter in write process)– Other devices with storage or state-preservation
• Low-level format– Redundant sectors– Sectors marked as bad (unavailable to wiping programs)– Sector overhead?– Positioning and synchronization platter?
• Partition– Inter-partition gaps– Unallocated space– “hidden” partitions– Boot records and partition tables
• High-level format– Alternate data streams (NTFS)– Hidden files (.<filename> or “hidden” attribute)– Open, but deleted files– Deleted files (unstable)– Paging/swap file
• Applications– Documents (do you know what you are looking for)– Files with deceptive names (hidden in the noise, e.g., /dev)– Modified OS utilities (e.g., file system mounted over real file system, ls)– Code (as comments)– Databases (registry, history, etc.)– Encoding (steganography, metadata, encryption, bit-shifting, substitution, etc.)
• Where else?
0011 0010 1010 1101 0001 0100 1011
In Class Exercise
• Where can data hide on other devices and systems?
• Some examples include:– As continuous network traffic– In printer memory– In system backups– Distributed among many computers (P2P)
0011 0010 1010 1101 0001 0100 1011
Module 4
General Tools and Methods
0011 0010 1010 1101 0001 0100 1011
Common Analysis Methods• Key word search (most mature)• MAC time line analysis• Encrypted file cracking• Relationship analysis• Causal analysis• Operating system logs and records
– Registry (windows)– User account logs– Various system logs
• Application specific analysis, e.g., email• Executable and binary analysis• ________
0011 0010 1010 1101 0001 0100 1011
The Sleuth Kit Tools(learn through hands-on labs)
• File system layer (partitions, file systems)– fsstat – first used in lab 3 to determine block size
• File name layer (file name structures) – ffind– fls
• Meta-data layer (inodes, directory entries, file attributes)– icat– ifind– ils– istat– mac-robber
• Data unit layer (disk blocks)– dcat – first used in lab 3 to extract disk blocks– dls – first used in lab 2 to copy unallocated space and slack space– dstat– dcalc – first used in lab 3 to compute absolute block to recover
0011 0010 1010 1101 0001 0100 1011
How Would You…
• Determine if a system has been compromised?
• Determine if a suspect has been involved in theft of intellectual property?
• Determine if an employee has been stealing and selling trade secrets?
• Determine the impact of a successful network intrusion?
• ________?
0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator
