Evidentiary Methods II: Evidence Acquisition

Computer ForensicsBACS 371

OK, What do we do first?

2

Basic Forensic Methodology

Acquire the evidence (legally) Authenticate that it is the same as the

original Analyze the data without modifying it

3

Photographing Systems

Before you do anything, begin documentation by photographing all aspects of the system…

Monitor Desk and surrounding area All 4 sides of PC Labeled cables still connected

4

Evidence Acquisition Process1

Disassemble the Case of the Computer Identify storage devices that need to be acquired

(internal/external/both) Document internal storage devices and hardware

configuration Drive condition (make, model, geometry, size, jumper

settings, location, drive interface, …) Internal components (sound card, video card, network card –

including MAC address, PCMCIA cards, … Disconnect storage devices (power, data, or both)

Controlled boots Capture CMOS/BIOS info (boot sequence, time/date,

passwords) Controlled boot from forensic CD to test functionality

(RAM, write-protected storage, …) Controlled boot to capture drive config (LBA, CHS, …)

1Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf

5

Role of the First Responder

Scene of the Cybercrime1

Do No Harm! Identify the Crime Scene Protect the Crime Scene Preserve Temporary and Fragile Evidence

A guide for First Responders2

Secure and Evaluate the Scene Document the Scene Collect Evidence Packaging, Transportation, and Storage of

Evidence Forensic Examination

1Scene of the Cybercrime, Shinder & Tittel, p.5532Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001

6

Role of Investigators1

Establish Chain of Command Conduct Crime Scene Search Maintain Integrity of Evidence

1Scene of the Cybercrime, Shinder & Tittel, p.554

7

Role of Crime Scene Technician1

Preserve volatile evidence and duplicate disks

Shut down systems for transport Tag and log evidence Transport evidence Process evidence

1Scene of the Cybercrime, Shinder & Tittel, p.555

8

Computer Seizure Checklist1

Photograph the monitorPreserve Volatile DataShutdown SystemsPhotograph the System Setup

PC – all sides Label all connections

Unplug system and peripherals – mark & tag

Bag and tag all componentsBitstream Copy of Disk(s) - (offsite usually)

Verify integrity of copies - (offsite usually)

1Scene of the Cybercrime, Shinder & Tittel, p.557

9

Handling, Transportation, Storage Static Electricity External RF signals Heat Humidity Sunlight

10

Evidence Logs

Lists all evidence collected Description of each piece of evidence

with serial numbers & other ID information

Identifies who collected the evidence and why

Date and Time of collection Disposition of Evidence All transfers of custody11

Computer Evidence Worksheet

12

Evidence Tag

• Place or person from whom item was received

• If item requires consent for search

• Description of items taken

• Information contained on storage device

• Data and time item was taken

• Full name and signature of individual initially receiving evidence

• Case and tag number

13

Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope

Evidence Label

14

Evidence Analysis Logs

How each step is performed Who was present What was done Result of procedure Time/date

Document all potential evidence Filename Where on disk data are located Date and time stamps Network information (MAC address, IP address) Other file properties (metadata)

15

Evidence Log

Tag # Date Action Taken By

Location

1 13 Jan 01 Initial Submission Matt Pepe Maxtor 600GB (593843420)

1 15 Mar 01 Moved evidence to tape Matt Pepe 4mm tape #01101

1 15 Mar 01 Examined Evidence using EnCase

Matt Pepe FRED #7

• Evidence Tag Number• Date• Action Taken• Person performing action• Identifying information

Case Number: 123412

16

Preserve Volatile Data1

Order of Volatility2

Registers and Cache Routing Table, ARP Cache, Process Table, Kernel

Statistics Contents of System Memory (RAM) Remote Logging and Monitoring Data Physical Configuration, Network Topology Temporary File Systems Data on Disk Archival Media

1Scene of the Cybercrime, Shinder & Tittel, p.5592Guidelines for Evidence Collection and Archiving, IEEE, February 2002

17

Collecting Volatile Data

Tool Purpose

netstat View current network connections

nbstat View current network connections

arp View addresses in ARP (Address Resolution Protocol) cache

plist List running processes (or view in Task Manager)

ipconfig Gather information about the state of the network

18

netstat – current network connections

19

nbstat – NetBIOS name resolution

arp – addresses in ARP cache

21

ipconfig – state of network

22

Foundstone Tools

Pasco An Internet Explorer activity forensic analysis tool

Galleta An Internet Explorer Cookie forensic analysis tool

Rifiuti A Recycle Bin Forensic Analysis Tool

Vision Reports all open TCP and UDP ports

NTLast Security Audit Tool for WinNT

Forensic Toolkit

Tools to examine NTFS disk partition for unauthorized activity

ShoWin Show information about Widows – reveal passwords

BinText Finds ASCII, Unicode, and Resource strings in a file

23

Things to Avoid1

Don’t Shutdown until volatile evidence has been collected

Don’t trust the programs on the system – use your own secure programs

Don’t run programs which modify access times of files

1Guidelines for Evidence Collection and Archiving, IEEE, February 2002

24

Acquire the EvidenceTo shutdown, or to not shutdown, that is the question!

Do so Without damaging or altering the original

Should you let the machine run, or pull the plug?? Run

• Retains maximum forensic evidence Pull Plug

• Removes a compromised computer from potentially affecting the whole network

• How to pull the plug From the back of the PC When the hard drive is not spinning

• Sound• Drive Light• Vibration25

Making Backups

File Backup vs. Bitstream Copy Use Forensically Sterile media Make 2 backup copies (one to work with

and one to store) Don’t access the original again!

26

Level of Effort to Protect Evidence…

If the evidence is going to be used in court VS.If the evidence is going to be used for

internal investigation

Evidence method should be the same for both situation in case it ever goes to court

The more documentation the better27

Forensic Analysis CYA

Virus Check Forensic computer Media being processed

Collect System Information Complete computer hardware inventory

CHKDISK/SCANDISK Look for “orphan clusters”

Check for hidden partitions Document everything!

28

MD5 Hashing

Wikipedia Entry Cryptographic Hash Function

A hash function must be able to process an arbitrary-length message into a fixed-length output

Hash Function Hash Collision Check Digit Cyclic Redundancy Check (CRC)

29

Integrity of Evidence+

Method Description Common Types Advantages Disadvantages

Checksum Method for checking for errors in digital data. Uses 16- or 32-bit polynomial to compute 16 or 32 bit integer result.

CRC-16CRC-32

Easy to compute Fast Small data

storage Useful for

detecting random errors

Low assurance against malicious attack

Simple to create data with matching checksum

One-Way Hash

Method for protecting data against unauthorized change. Produces fixed length large integer (80~240 bits) representing digital data. Implements one-way function.

SHA-1MD5MD4MD2

Easy to compute Can detect both

random errors and malicious alterations

Must maintain secure storage of hash values

Does not bind identity with data

Does not bind time with data

Digital Signature

Secure method for binding identity of signer with digital data integrity methods such as one-way hash values. Uses public key crypto system.

RSADSAPGP

Binds identity to integrity operation

Prevents unauthorized regeneration of signature

Slow Must protect

private key Does not bind

time with data

+Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org (Oct 25, 2005) 31

Hashing Algorithms1

Algorithm Description

MD2 Developed by Ronald L. Rivest in 1989, this algorithm was optimized for 8-bit machines.

MD4Developed by Rivest in 1990. Using a PC, collisions can now be found in this version in less than one minute.

MD5Developed by Rivest in 1991. It was estimated in 1994 that it would cost $10 million to create a computer that could find collisions using brute force.

SHASHA-1 was a federal standard used by the government and private sector for handling sensitive information and was the most widely used hashing function.

HAVAL A variation of the MD5 hashing algorithm that processes blocks twice the size of MD5.

1Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 30532

MD5 Hash

“[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”1

1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html 33

MD5 Hash

128-bit number representing a “fingerprint” of a file

Odds of two different files having the same MD5 Hash are 1 in 2128

MD5 issues??? Collisions – Two different files generating the

same hashhttp://

marc-stevens.nl/research/md5-1block-collision/md5-1block-collision.pdf

SHA Collisionshttp://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf

34

Hash Try It…

http://www.sha1-online.com/

http://www.digital-detective.co.uk/freetools/md5.asp

http://www.miraclesalad.com/webtools/md5.php

Hash Converter: http://hash.online-convert.com/sha1-generator

35

Admissibility of Evidence

The whole point of all of this is to make sure that the evidence is admissible. Which means it is…

RelevantSubstantiates an issue that is in

question in the case Competent

Reliable and credible Obtained legally

36

5 Mistakes of Computer Evidence

1. Turn on the Computer (don’t do it!)

2. Get Help from the Computer Owner3. Don’t Check for Computer Viruses 4. Don't Take Any Precautions In The

Transport of Computer Evidence5. Run Windows To View Graphic Files

and To Examine Files

1 Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson 37