Introduction to Digital Forensics
-
Upload
dalton-beck -
Category
Documents
-
view
33 -
download
1
description
Transcript of Introduction to Digital Forensics
![Page 1: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/1.jpg)
Introduction to Digital Introduction to Digital ForensicsForensics
Florian Buchholz
![Page 2: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/2.jpg)
What is Digital Forensics?What is Digital Forensics?
• Emerging discipline in computer security– “voodoo science”– No standards, few research
• Investigation that takes place after an incident has happened
• Try to answer questions: Who, what, when, where, why, and how
![Page 3: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/3.jpg)
Types of investigationsTypes of investigations
• Determine what the incident was and get back to a working state
• Internal investigation– Should be based on IR policy– May lead to criminal investigation
• Criminal investigation• Support for “real world”
investigations
![Page 4: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/4.jpg)
Typical investigation phasesTypical investigation phases
1. Acquisition2. Recovery3. Analysis4. Presentation
![Page 5: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/5.jpg)
Phase 1: AcquisitionPhase 1: Acquisition
• Analogous to crime scene in the “real world”
• Goal is to recover as much evidence without altering the crime scene
• Investigator should document as much as possible
• Maintain Chain of Custody
![Page 6: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/6.jpg)
Acquisition (2)Acquisition (2)
• Determine if incident actually happened• What kind of system is to be
investigated?– Can it be shut down?– Does it have to keep operating?
• Are there policies governing the handling of the incident?
• Is a warrant needed?
![Page 7: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/7.jpg)
Acquisition (3)Acquisition (3)
• Get most fleeting information first– Running processes– Open sockets– Memory– Storage media
• Create 1:1 copies of evidence (imaging)• If possible, lock up original system in
the evidence locker
![Page 8: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/8.jpg)
Phase 2: RecoveryPhase 2: Recovery
• Goal is to extract data from the acquired evidence
• Always work on copies, never the original– Must be able to repeat entire process
from scratch
• Data, deleted data, “hidden” data
![Page 9: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/9.jpg)
File systemsFile systems
• Get files and directories• Metadata
– User IDs– Timestamps (MAC times)– Permissions, …
• Some deleted files may be recovered• Slack space
![Page 10: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/10.jpg)
File deletionFile deletion
• Most file systems only delete directory entries but not the data blocks associated with a file.
• Unless blocks get reallocated the file may be reconstructed– The earlier the better the chances– Depending on fragmentation, only
partial reconstruction may be possible
![Page 11: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/11.jpg)
Slack spaceSlack space
• Unallocated blocks– Mark blocks as allocated to fool the
file system
• Unused space at end of files if it doesn’t end on block boundaries
• Unused space in file system data structures
![Page 12: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/12.jpg)
SteganographySteganography
• Data hidden in other data• Unused or irrelevant locations are
used to store information• Most common in images, but may
also be used on executable files, meta data, file system slack space
![Page 13: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/13.jpg)
Encrypted dataEncrypted data
• Depending on encryption method, it might be infeasible to get to the information.
• Locating the keys is often a better approach.
• A suspect may be compelled to reveal the keys by law.
![Page 14: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/14.jpg)
Recovery (cont.)Recovery (cont.)
• Locating hidden or encrypted data is difficult and might even be impossible.
• Investigator has to look at other clues:– Steganography software– Crypto software– Command histories
![Page 15: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/15.jpg)
File residueFile residue
• Even if a file is completely deleted from the disk, it might still have left a trace:– Web cache– Temporary directories– Data blocks resulting from a move– Memory
![Page 16: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/16.jpg)
Phase 3: AnalysisPhase 3: Analysis
• Methodology differs depending on the objectives of the investigation:– Locate contraband material– Reconstruct events that took place– Determine if a system was
compromised– Authorship analysis
![Page 17: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/17.jpg)
Contraband materialContraband material
• Locate specific files– Databases of illegal pictures– Stolen property
• Determine if existing files are illegal– Picture collections– Music or movie downloads
![Page 18: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/18.jpg)
Locating materialLocating material
• Requires specific knowledge of file system and OS.
• Data may be encrypted, hidden, obfuscated
• Obfuscation:– Misleading file suffix– Misleading file name– Unusual location
![Page 19: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/19.jpg)
Event reconstructionEvent reconstruction
• Utilize system and external information– Log files– File timestamps– Firewall/IDS information
• Establish time line of events
![Page 20: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/20.jpg)
Time issuesTime issues
• Granularity of time keeping– Can’t order events that occur in the
same time interval
• Multiple systems:– Different clocks– Clock drift
• E-mail headers and time zones
![Page 21: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/21.jpg)
The needle in the The needle in the haystackhaystack
• Locating files:– Storage capacity approaches the terrabyte
magnitude– Potentially millions of files to investigate
• Event reconstruction:– Dozens, hundreds of events a second– Only last MAC times are available– Insufficient logging
![Page 22: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/22.jpg)
Compromised systemCompromised system
• If possible, compare against known good state– Tripwire– Databases of “good” files
• Look for unusual file MACs• Look for open or listening network
connections (trojans)• Look for files in unusual locations
![Page 23: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/23.jpg)
Unknown executablesUnknown executables
• Run them in a constrained environment– Dedicated system– Sandbox– Virtual machine
• Might be necessary to disassemble and decompile– May take weeks or months
![Page 24: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/24.jpg)
Authorship analysisAuthorship analysis
• Determine who or what kind of person created file.– Programs (Viruses, Tojans, Sniffers/Loggers)– E-mails (Blackmail, Harassment, Information
leaks)
• If actual person cannot be determined, just determining the skill level of the author may be important.
![Page 25: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/25.jpg)
Phase 4: PresentationPhase 4: Presentation
• An investigator that performed the analysis may have to appear in court as an expert witness.
• For internal investigations, a report or presentation may be required.
• Challenge: present the material in simple terms so that a jury or CEO can understand it.
![Page 26: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/26.jpg)
Forensics ToolsForensics Tools
• Acquisition– dd, pdd– SafeBack, …
• Recovery– Encase– TCT and SleuthKit
• Analysis– ?
• Presentation– ?
![Page 27: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/27.jpg)
DF Investigator ProfileDF Investigator Profile
• Understanding of relevant laws• Knowledge of file systems, OS, and
applications– Where are the logs, what is logged?– What are possible obfuscation techniques?– What programs and libraries are present on the
system and how are they used?
• Know what tools exist and how to use them• Be able to explain things in simple terms
![Page 28: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/28.jpg)
Future in DFFuture in DF
• The need for standards– Acquisition procedure: develop step-
by-step instructions to be followed– Certification
• Investigators• Tools• Operating Systems
![Page 29: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/29.jpg)
Future in DF (2)Future in DF (2)
• Research– Create more meaningful audit data– Ensure integrity and availability of
audit data– Privacy and Digital Forensics– Develop detection techniques– Develop automation processes
![Page 30: Introduction to Digital Forensics](https://reader035.fdocuments.net/reader035/viewer/2022062720/56813556550346895d9cb932/html5/thumbnails/30.jpg)
Future in DF (3)Future in DF (3)
• Documentation– File systems
• Over 50 different FS currently in use• Most are poorly documented
– Malware• “fingerprint” of bad programs
– Good system state• Accessible databases• Every OS, version, patchlevel