CyberCrime: Background and Motivation Computer Forensics BACS 371.
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011
-
Upload
john-bambenek -
Category
Technology
-
view
744 -
download
0
description
Transcript of Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 25, 2011
Cybercrime and Computer Forensics Seminar
Chicago Bar AssociationMar 25th, 2011
John C. A. BambenekChief Forensic Examiner, Bambenek [email protected]://www.bambenekconsulting.com312-725-HACK (4225)
Agenda
Types of Actionable Computer Crime Incident Response versus Forensics Laws Related to Computer Forensics Chain of Custody and Data Acquisition Hard drive Forensics Registry Examination Memory Forensics Network Forensics Log / Server Forensics File Metadata
Types of Actionable Computer Crime
Identity Theft Electronic Fraud (ACH or Credit Card) Spamming Website Defacement / Denial of Service Unauthorized Access / Misuse of Access Cyberbulling Trade Secret Theft National Security Issues
Obstacles to Cybercrime Prosecution
Relatively new are in the law / law not caught up with technology
International in scope / non-extradition treaty countries
Limited resources & skillsets within law enforcement
Near constant level of criminal activity
Organized crime involvement and sophisticated business models
Security tool development lags criminal tool development
Incident Response vs. Forensics
Incident response = “Something bad happened, fix it”
Forensics = Acquisition of evidence for potential litigation Can include e-Discovery
Organizations should have prepared in advance for this decision
Some incidents are not worth pursuing in criminal or civil court
Forensics is much more time-consuming and expensive
In both cases, how someone “got in”, what did they do once there May not be concerned with attribution
Laws Relating to Forensics
Wire fraud (18 USC § 1343)
Computer Fraud and Abuse Act (18 USC § 1030)
Electronic Communications Privacy Act (18 USC § 2510)
Stored Communications Act (18 USC § 2701)
Digital Millennium Copyright Act (17 USC § 512 et al) **
Legal Issues Relating to Forensics
Ownership of Hardware Big issue with Cloud Computing
Ownership of Data
Expectation of Privacy Not supposed to monitor users if they reasonably believe their actions are private
Chain of Custody / Evidence Preservation Hard to have a case if chain of custody is broken or evidence has been corrupted
What kinds of evidence can be collected?
Physical drives
System memory
Network transmissions
System/Server Logs
Other sources?
Chain of Custody
Physical possession of data is standard chain of custody
How do you prove chain of custody on electronic information? Cryptographic hashing
Prevention of evidence contamination Analyze only digital copies Use “write-blockers” for physical drives Difficult for “live system” analysis Keeping notes for all tasks performed on “live system”
Hashing
Hashing uses an encryption algorithm to generate a pseudo-random string of text to represent a unique file (or hard drive) Small changes cause large changes in the hash
Example: “Chicago Bar Association.” vs “Chicago Bar Association!”
MD5: 03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38
SHA1: 7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a
Hard drive data acquisition
Can be done on a “live system” or a system that is off
On a “live system” data is constantly changing, which can be problematic
Involves a bit-copy of a drive into a “virtual drive” file for examination
Hashes taken before and after to ensure no data is contaminated
Drive left in safe, all analysis done on copies “virtual drive”
Hard drive basics
Hard drives are collections of ones and zeroes, even when mostly empty
File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).
When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files. Government standards require multiple “wipes” of a drive to confirm deletion
Data may hide also in “slack space”
Hard drive basics
So you have a drive image, now what? Search for all deleted files Search for all files added, deleted or modified at a certain time Search files for specific strings Search for files of a specific type Examine key system files (configuration files, startup scripts, system registry)
Depends heavily on the nature of the incident
Iterative process that is more art than science
MAC times
MAC times stand for “modified”, “accessed”, “changed” and may also include a creation time.
All files have MAC times associated with them (even deleted ones).
These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm Jan 11th, you’d look for any file with a MAC time near that same time).
Windows Registry
Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command). Most recently used programs Most recently entered commands Most recently viewed documents Typed URLs in IE Unique hardware addresses for USB keys accessed on system
This can be used to create a “timeline” of activity on the machine
Memory Forensics
Must be done on a “live” machine, memory disappears without power*
Contains: All running programs (even those deleted from the disk) Any encryption keys in use (makes for easy decrypting) In some cases, passwords
Memory is constantly changing
Evidence “changes” over time, may have to work with multiple memory files
Network forensics
In essence, the same as wiretapping a phone call except with data
Most network switches allow for capturing live traffic from a machine
What are you looking for: Who is talking to this machine Who is this machine talking to When is it happening What is being communicated Encryption?
Log forensics
Servers associated with a subject computer may have valuable information
E-mail logs can show all mail sent from a target computer
DHCP / DNS logs may show when the machine was on and who it was communicating with
If configured, can show who accessed a machine even if the machine has had its own logs wiped
Web server logs can show attacks in progress and how servers were exploited
E-mail Forensics
E-mails all come with headers that give a wealth of information to identify the sender.
Can show: IP Address of sender Can show all mailservers users Potentially can show true username of sender Shows when message really sent Gives unique message ID which can be used to track messages in mail server
logs
E-mail headers
Return-path: <[email protected]>Envelope-to: [email protected]: Tue, 15 Mar 2011 12:13:56 -0500Received: from mailhost.davismcgrath.com ([12.233.219.123])
by thebox.pentex-net.com with esmtp (Exim 4.69)(envelope-from <[email protected]>)id 1PzXoi-0000mf-Fwfor [email protected]; Tue, 15 Mar 2011 12:13:56 -0500
Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com (Rockliffe SMTPRA 9.3.1) with ESMTP id <[email protected]> for <[email protected]>; Tue, 15 Mar 2011 12:16:42 -0500From: "Kevin A. Thompson" <[email protected]>To: <[email protected]>References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com>
<[email protected]>In-Reply-To: <[email protected]>Subject: RE: CBA - CLE/Seminar?Date: Tue, 15 Mar 2011 12:16:39 -0500Message-ID: <020b01cbe334$bf146320$3d3d2960$@com>MIME-Version: 1.0Content-Type: text/plain;
charset="US-ASCII"Content-Transfer-Encoding: 7bitX-Mailer: Microsoft Office Outlook 12.0Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAAContent-Language: en-us
File Metadata
Many file types include metadata in them to indicate the creating user, when modified, etc.
Metadata can be examined even on machines you don’t control Cell phones can be notorious about including metadata with image files. This may even include GPS coordinates of where a picture was taken.
Office documents (especially with track changes) can show every person who touched a file
In some cases, can include content that has been “redacted” when viewed normally.
Other data sources
Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files
Tablets and iPads
Online social network content (in particular, media)
Blog comments, forum posts
Webmail accounts
Questions?
John Bambenek
http://www.bambenekconsulting.com
312 – 725 – HACK (4225)