Digital Forensics Analysis

Security’s weakest link…The Human Factor -

Judith Vergara

February, 2003

What is Digital Forensics Analysis?

o The gathering and analysis of information for use in legal proceedings.

o Relatively new discipline.

The Current Debate

o Is Digital Forensics a Science?

o Science: A systematic activity requiring study and method.-Webster’s

Old School -It is NOT a science

o The majority of law enforcement personnel that have worked with forensics do not have a formal education in science or computers.

o Their expertise is gained by experience and/or training. They do not consider “data” as being scientific.

o The “Science” of forensics is limited to hair and blood samples, DNA, fibers, etc.

o Software tools used in digital forensics are not reviewed or approved by any governmental body.

o Processes used in the development of digital forensic tools and capabilities are not considered to be scientific.

o Tools are developed by individuals, based on the needs of the community, and subsequently released to the general public.

Old School -It is NOT a science, con’t.

New School - It IS a science

o The integral component of digital analysis is being able to PROVE the validity of the data gathered.

Acquisition of Digital Evidence

o “Evidence” implies that the collector of evidence is recognized by the courts.

o The process of collecting is assumed to be a legal process.

o The appropriate Uniform Rules of Evidence or Federal Rules of Evidence apply.

Legal Definition – The Frye Test

o The test for admissibility of scientific evidence is:

o Burden of proving that his methodology or his opinion were generally accepted in the relevant scientific community.

http://www.law.com

Certification

Certified Forensic Computer Examiner (CFCE)

http://www.iacis.com

International Association of Computer Investigative Specialists

IACIS

o IACIS is an international volunteer non-profit corporation.

o Composed of law enforcement professionals dedicated to education in the field of forensic computer science.

o Members represent Federal, State, Local and International Law Enforcement professionals.

o Regular IACIS members have been trained in the forensic science of seizing and processing computer systems.

The Integral Piece That Encompasses All Entities

Digital Forensics Research Workshop http://dfrws.org

What happened to initiate contact?

o Defacement of Web pages – destruction of propertyo Malicious DBS alterationo Murdero Pornography usageo To prove an alibio Sabotage to the organizationo Extortion o Theft of corporate intellectual property o Computer-controlled building functionso Computer network being used as jump-off pointo Military weapons systems alteredo Satellite communication system takeover

Before You Arrive – Ask Questions!

o Have the compromised systems been secured? If not, do so immediately.

o Is there an IDS in place?o Who first noticed the incident?o Any suspects? Is the attacker still online?o Are there Security policies/procedures in place?o Has law enforcement been contacted?o Copy of the network architecture?o Hardware platforms in use?o What size are the compromised hard drives?o Is the compromised system classified?o Will System Administrator or other company experts be

available at my disposal?o Does the crime scene area forbid electronic communication

devices – i.e. cell phones?

What Do I Do Now?

o FBI Investigative Techniquesn Check records, logs, and documentationn Interview personneln Conduct surveillancen Prepare search warrantn Search the suspect’s premises if

necessaryn Seize evidence

oDigital Evidence: Standards & Principals http://www.fbi.gov

On Site: Pre-Briefing @15 Minuteswith all involved personnel.

o Get updated situation status.

o Ask additional questions.n Some to the group.n Some by individual.n Use discretion and tact!

o BE INFORMED – Know your limits!Department of Justice, Search and Seizure Guidelines: http://www.usdoj.gov/criminal/cybercrime.html

Tools of the Trade

Critical:

1. ALWAYS maintain chain of custody.

2. Keep the evidence in a secured area with proper access controls.

3. Perform analysis on images – never on the original.

http://www.cftt.nist.gov National Institute of Standards Testing

Tools of the Trade, con’t.

o SafeBack – To obtain a bitstream backup (bit-by-bit copy of the hard drive) of the compromised system.

o GetTime – To document the time and date settings of a victim computer. Reads from CMOS.

o FileList, FileCnvt, Excel – 1. Catalogs contents of the disk and 2/3. is used to read output of FileList programs.

o GetFree – To obtain the content of all unallocated space (deleted files) on the analysis computer.

All tools available by New Technologies, Inc. http://www.Forensics-Intl.com

Tools of the Trade, con’t.

o Swap Files and GetSwap – 1. If MS OS system contains static swap files, copy these files to Zip Drive. 2. Obtain data found in computer “swap” or “page” files.

o GetSlack – To capture data contained in the file slack of the hard drive on the analysis computer.

o Filter_I – To make binary data printable and to extract potentially useful data from a large volume of binary data.

Tools of the Trade – Predominate Usage

o EnCaseo Intuitive GUI that enables examiners to easily manage

large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated space.

o Automates core investigative procedures. o The integrated functionality of EnCase allows the

examiner to perform all functions of the computer forensic investigation process.

o EnCase's EnScript, is a powerful macro-programming language and API that allows investigators to build customized and reusable forensic scripts.

http://www.guidancesoftware.com/whitepapers/v4_eee_features.pdf

Caution

o Always use a write-block utility when using imaging and analysis utilities!

o SafeBack (previous slide)

o Hardware utility –n FastBloc: Full documentation/usage for IDE

hard drives available at: http://www.guidancesoftware.com/support/downloads/FastBlocWP.pdf

Operation Enduring FreedomAnalysis and Recovery

o Forensics is playing a critical role.n Terrorist factions are using computers

and related equipment in their communication network.

n When identified, forensic analysis must occur in a expeditious manner.

n Information found could suggest possible targets, movements, communication methods, and location.

The Message of an Expert

o "Continued corroboration between public and private sector organizations working in the field of digital forensics must continue, if this area is to become recognized as one of the forensic sciences".

-Daniel Kalil, 11 February, 2003

-Digital Forensics Specialist

ohttp://www.rl.af.mil

Additional References

o Cyberforensics Science & Technology Center, Air Force Research Laboratory, New York. Daniel J. Kalil, Digital Forensics Specialist. http://www.rl.af.mil

o American Academy of Forensic Sciences http://www.aafs.org

o Internationasl Journal of Digital Evidencehttp://www.ijde.org

o Cyber Crime Investigator’s Field Guide, (2002) Auerback Publications, Bruce Middleton.http://www.auerback-publications.com

A very special “Thank-you”to Daniel Kalil

Digital Forensics Specialist, Northrop GrummanIT TASC

Cyberforensics Science & Technology CenterAir Force Research Laboratory/IFGB

for being so patient and responsive to my incessant questions. His knowledge

and expertise has ignited a spark that will last a lifetime!