Upload
ebudhy
View
234
Download
0
Embed Size (px)
Citation preview
8/9/2019 Intro to Comp Forensics
1/80
1
Introduction to ComputerForensics
8/9/2019 Intro to Comp Forensics
2/80
2
Roadmap Incidents & Crimes and Responding to
themVulnerabilities, Threats, Incidents/Crimes
Types of incidents/crime
o! computers & net!or"s !or" #$Forensic perspecti%e' (oot )e*uence
o! data is stored and ho! can it be %ie!ed'
8/9/2019 Intro to Comp Forensics
3/80
3
Roadmap
Forensic In%estigations +becti%es of in%estigations The process
o! to handle e%idence
8/9/2019 Intro to Comp Forensics
4/80
4
o! computers !or"- $ Forensicperspecti%e'
o! computers !or" #$ Forensicperspecti%e'
(oot )e*uence
o! data is stored and ho! can it be%ie!ed'
8/9/2019 Intro to Comp Forensics
5/80
5
o! Computers .or"' Computer Components
.hat happens !hen you turn thecomputer on'
.hat is a File )ystem'
o! is data stored on dis"s'
o! data is represented incomputers and ho! it can be loo"ed
at' o! is data in !indo!s 000
encrypted'
8/9/2019 Intro to Comp Forensics
6/80
6
Components of computers
Central 1rocessing 2nit #C12
(asic Input and +utput )ystem #(I+)
3emory
1eripherals #dis"s, printers, scanners,etc
8/9/2019 Intro to Comp Forensics
7/80
7
(oot )e*uence .hat happens !hen you turn the
computer on' C12 reset- !hen turned on, C12 is reset and
(I+) is acti%ated
1o!er4+n )elf Test #1+)T performed by (I+)-Verify integrity of C12 and 1+)T
Verify that all components functioning properly
Report if there is a problem #beeps
Instruct C12 to start boot se*uence
#)ystem con5guration & data/time information isstored in C3+) !hen the computer if o671+)T results compared !ith C3+) to reportproblems
8/9/2019 Intro to Comp Forensics
8/80
8
(oot )e*uence 8is" boot- 9oading of the operating system from
dis" into memory7 The bootstrap is in Read4+nly43emory7
I31+RT$:T 1+I:T) C3+) chip contains important e%idence on the
con5guration7 If the battery po!ering C3+) isdo!n, important e%idence may be lost #3oussaouicase, 00;
If the computer is rebooted, the data on the harddis" may be altered #for e
8/9/2019 Intro to Comp Forensics
9/80
9
oo e*uence- mpor an1oints
It is a good idea to obtain (I+)
pass!ord from user7 Resetting C3+)pass!ord can change system settingsand hence alter e%idence7 For e
8/9/2019 Intro to Comp Forensics
10/80
10
The File )ystem File system is li"e a database that tells
the operating system !here is !hatdata on the dis"s or other storagede%ices7
F$T in 3)48+) is a =at table that pro%ideslin"s to their location on dis"s7 (ut3icrosoft>s :TF) is similar to uni< 5lesystems7
In uni< systems, it consists of a #inodetable pro%iding pointers from 5leidenti5ers to the bloc"s !here they arestored, and a directory7
8/9/2019 Intro to Comp Forensics
11/80
11
The File )ystem 3ounting a 5le system is the process of ma"ing
the operating system a!are of its e
8/9/2019 Intro to Comp Forensics
12/80
12
The File )ystem-
Important 1oints Formatting a hard dri%e does not
erase data, and therefore the data
can be reco%ered 9o!4le%el formatting does erase
data7 o!e%er, special %endor
soft!are is needed to lo!4le%elformat hard dis"s
8/9/2019 Intro to Comp Forensics
13/80
13
8is" )torage
8ata is stored on the dis" o%er concentriccircles called tracks#heads7 .hen the
dis"s are stac"ed, the set of trac"s !ithidentical radius collecti%ely are called acylinder7 The dis" is also di%ided into!edge4shaped areas called sectors7
8is" capacity is gi%en by the product ofnumber of cylinders, trac"s, and sectors7?ach sector usually stores B bytes7
8/9/2019 Intro to Comp Forensics
14/80
14
8is" )torage
Doned (it Recording #D(R is usedby dis" manufacturers to ensure
that all trac"s are all the samesiEe7 +ther!ise the inner trac"s!ill hold less data than the outer
trac"s7
8/9/2019 Intro to Comp Forensics
15/80
15
8is" )torage The trac"s on dis"s may be one of
(oot trac" #containing partition and bootinformation
Trac"s containing 5les
)lac" space #unused parts of bloc"s/clusters
2nused partition #if the dis" is partitioned 2nallocated bloc"s #usually containing data
that has been @deletedA
#.hen the program e
8/9/2019 Intro to Comp Forensics
16/80
16
8is" )torage- Important1oints
ard dri%es are di6icult to erase
completely7 Traces of magnetism canremain7 This is often an ad%antage, sincee%idence may not ha%e been erasedcompletely by the perpetrator7 )uch
e%idence can be reco%ered using one ofthe data reco%ery ser%ices #such as!!!7ontrac"7com, !!!7datareco%ery7net, !!!7actionfront7com, !!!7ibas7net
Files @deletedA may be partiallyreco%ered since their fragments may stillbe in unallocated bloc"s
8i " )t I t t
http://www.ontrack.com/http://www.datarecovery.net/http://www.actionfront.com/http://www.ibas.net/http://www.ibas.net/http://www.actionfront.com/http://www.datarecovery.net/http://www.ontrack.com/8/9/2019 Intro to Comp Forensics
17/80
17
8is" )torage- Important1oints
Traces of information can remain onstorage media such as dis"s e%en afterdeletion7 This is called remanence7 .ithsophisticated laboratory e*uipment, it isoften possible to reconstruct theinformation7 Therefore, it is important topreser%e e%idence after an incident7
$ perpetrator can hide data in the inter4partition gaps #space bet!een partitionsthat are speci5ed !hile partitioning thedis" and then use dis" editing utilities toedit the dis" partition table to hide them7
8i )t I t t
8/9/2019 Intro to Comp Forensics
18/80
18
8is )torage- Important1oints
The perpetrator can hide data in :T )treams,
and such streams can contain e
8/9/2019 Intro to Comp Forensics
19/80
19
s orage- mpor an1oints
For linu< systems, 98? #9inu< 8is"
?ditor at lde7sourceforge7net is asimilar utility a%ailable under nulicense7
Main Lesson:Do not depend ondirectories or windows explorer.Get to the physical data stored onthe disk drives. Do not look only
at the partitioned disk.Incriminating data may belurking elsewhere on the disk.
8/9/2019 Intro to Comp Forensics
20/80
20
8ata Representation .hile all data is represented ultimately
in binary form #ones and Eeroes, use ofeditors that pro%ide he
8/9/2019 Intro to Comp Forensics
21/80
21
8ata Representation-Important point
One should be careful in
using such editors, sincedata can be destroyedinadvertently.
8/9/2019 Intro to Comp Forensics
22/80
22
Computer :et!or"s
o! are internet communicationsorganised'
o! the internet protocols !or"'
.hat are some of the%ulnerabilities caused by theinternet protocols'
8/9/2019 Intro to Comp Forensics
23/80
23
:et!or"ing
The Internet 3odel-
$pplication 9ayer #http, telnet, email client,G Transport 9ayer- Responsible for ensuring data deli%ery7
#1ort4to41ort (Protocols: TCP and UDP) #?n%elope name-segment
:et!or" 9ayer- Responsible for communicating bet!eenthe host and the net!or", and deli%ery of data bet!een t!o nodeson net!or"7 #3achine4to43achine #1rotocol- I1 #?n%elope name-datagram #?*uipment- Router
8ata 9in" 9ayer- Responsible for transporting pac"etsacross each single hop of the net!or" #:ode4to4:ode #1rotocol-ethernet #?n%elope name- Frame #?*uipment- ub
1hysical 9ayer- 1hysical media #Repeater4to4repeater#?*uipment- Repeater
8/9/2019 Intro to Comp Forensics
24/80
24
Routing
#)ource-http-//!!!7albany7edu/Hgoel/classes/spring00/3)IJ/internet7ppt
Application Layer
Transport Layer
Network Layer
Link Layer
Physical Network
Application Layer
Transport Layer
Network Layer
Link Layer
essa!e
Packet
"ra#e "ra#e
$ata!ra# $ata!ra#
Network Layer
Link Layer
Physical Network
%ost &%ost A
'o(ter
1 l
8/9/2019 Intro to Comp Forensics
25/80
25
$ protocol de5nes the format and the order of messages
e
8/9/2019 Intro to Comp Forensics
26/80
26
)ome 1rotocolVulnerabilities
TCP Connection +riented )er%ice(?stablishconnection prior to data e
8/9/2019 Intro to Comp Forensics
27/80
27
)ome 1rotocolVulnerabilities
P Connectionless )er%ice(:o handsha"eprior to data e
8/9/2019 Intro to Comp Forensics
28/80
28
8igital ?%idence
)ources of e%idence on theinternet'
?%idence can reside on thecomputers, net!or" e*uipment#routers, for e
8/9/2019 Intro to Comp Forensics
29/80
29
?%idence on !or"stations &)er%ers
9ocations #8is"s
8is" partitions, inter4partition gaps #not allpartitions may ha%e 5le systems7 For e
8/9/2019 Intro to Comp Forensics
30/80
30
?%idence on !or"stations,)er%ers
9ocations #continued 2nallocated space #space not yet
allocated to 5les7 $lso includes recentlydeleted 5les, some of !hich might ha%ebeen partially o%er!ritten
9ocations #3emory or R$3 Registers & Cache #usually not possible
to capture7 Cache can be captured as
part of system memory image R$3
)!ap space #on dis"
?%idence on )er%ers & :et!or"
8/9/2019 Intro to Comp Forensics
31/80
31
?%idence on )er%ers & :et!or"?*uipment
Router systems logs
Fire!all logs of successful andunsuccessful attempts
)yslogs in /%ar/logs for uni