Legal Issuess in Computer Forensics2
Transcript of Legal Issuess in Computer Forensics2
-
8/11/2019 Legal Issuess in Computer Forensics2
1/26
Computer Forensics
Jake Cunningham
Network AnalystOffice of Information Technologies
UMASS Amherst.
-
8/11/2019 Legal Issuess in Computer Forensics2
2/26
Computer Forensics
Todays Topics
This lecture is intended to give a general overview ofthe field of Computer Forensics. Due to timeconstraints I have left out specific details about
tools,techniques and operating procedures.
Definitions
Situations one may conduct a forensic analysis.
Role of the Forensic Investigator
Legal Issues to Consider
-
8/11/2019 Legal Issuess in Computer Forensics2
3/26
Computer Forensics
Definitions:
The Merriam-Webster Dictionary definesforensic(s) as:
the application of scientific knowledge to legalproblems; especially : scientific analysis ofphysical evidence (as from a crime scene)
-
8/11/2019 Legal Issuess in Computer Forensics2
4/26
Computer Forensics
Definitions:
Weitse Venema and Dan Farmer (Authors of TheCoroners Toolkit) defined Computer Forensics as:
Gathering and analyzing data in a manner as free fromdistortion or bias as possible to reconstruct data orwhat has happened in the past on a system(http://www.fish.com/forensics/class.html)
-
8/11/2019 Legal Issuess in Computer Forensics2
5/26
Computer Forensics
When might one do a forensics analysis of a computer?
Analyze an intrusion or unauthorized use. Trace the activities of the intruder on the system
Analyzing and/or reverse engineer malware installed/left
behind by an intruder.
Monitor/Analyze authorized users behavior on a
computer Employees use (or mis-use) of a computer
Law Enforcement in the course of a criminal investigation
-
8/11/2019 Legal Issuess in Computer Forensics2
6/26
Computer Forensics
Six Steps of Incident Handling:
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
Computer Forensics is the Identification
step of Incident Response.
-
8/11/2019 Legal Issuess in Computer Forensics2
7/26
Computer Forensics
Role of Forensic Investigator
During an incident you may:
Have the role of the Incident Handler and work witha forensic investigator
Have the role of the Forensic Investigator and workwith a Incident Handler
Have the roll of both Incident Handler and ForensicInvestigator.
-
8/11/2019 Legal Issuess in Computer Forensics2
8/26
-
8/11/2019 Legal Issuess in Computer Forensics2
9/26
Computer Forensics
What Happened? Was there an incident What is it? What was changed on the system? What activity happened on the system? What files/applications were modified, accessed, or
created?
Where did it happened? What systems/services were affected? What relationships do those systems have to others? Where did the intruder/user come from (local/remote) Where did the intruder/user go to using the affected
computer?
-
8/11/2019 Legal Issuess in Computer Forensics2
10/26
Computer Forensics
When did it happen? When did the suspicious/anomalous activity start? When did it end?
When did important/key events occur?
How did it happen? Virus what was the infection vector?
Intruder How did they gain access or elevate privileges onthe system?
Authorized user How did they gain access to files,websites or conduct inappropriate behavior?
-
8/11/2019 Legal Issuess in Computer Forensics2
11/26
Computer Forensics
Collecting Evidence:
Rule #1 of Incident Response or ForensicInvestigation:
ALWAYS TAKE GOOD NOTES!
Document everything! You WILL forget the detailsif you dont write them down.
-
8/11/2019 Legal Issuess in Computer Forensics2
12/26
Computer Forensics
Collecting Evidence:
To ensure that evidence is not altered,corrupted ordestroyed: Make sure you understand the OS and the ramifications of
your actions on the system while collecting evidence. Always work with tools that you are familiar with and are
known to be good. For example: Use a customized incident response CD with
statically linked binaries.
Always analyze the filesystem and storage media bit copiesrather than the original evidence disk.
-
8/11/2019 Legal Issuess in Computer Forensics2
13/26
Computer Forensics
Collecting Evidence:
Interview parties involved (if timing is appropriate)
Take inventory of all devices involved. (make, model, s/n)
If system(s) up and running consider: Gather running process info
Get a dump of memory
Gather info about active network connections
- Screen captures (if appropriate)
Make bit copies of physical media (Hard Disks,floppies,ZipDisks,thumb drives etc.)
-
8/11/2019 Legal Issuess in Computer Forensics2
14/26
Computer Forensics
Collecting Evidence:
Tools to gather process and network info Unix:
ps, lsof, top, (look in /proc Linux), netstat
Windows: Task Manager, fport, pslist,ps, tcpview, netstat
-
8/11/2019 Legal Issuess in Computer Forensics2
15/26
Computer Forensics
Collecting Evidence:
What to look for in process, network info Depends on nature of investigation
System Intrusion/Computer User Investigation: Processes listening on suspicious network ports
Verify well know process names listening on well known ports
Non-standard process names
Look for open or established network connections. Check for remote shares and remote user logins
-
8/11/2019 Legal Issuess in Computer Forensics2
16/26
Computer Forensics
Collecting Evidence:
Tools to make bit copies of media
Encase (commercial)
FTK imager (commercial)
Safeback (commercial)
dd,dfldd, for Unix and Windows (open source)
Various Hardware based duplicators (commercial) Too many to list them all.
-
8/11/2019 Legal Issuess in Computer Forensics2
17/26
Computer Forensics
Collecting Evidence:
Tools to analyze bit copies of media(some examples too many to list them all)
Encase (commercial)
FTK (commercial)
ProDiscover (commercial)
X-WAYS Forensics (commercial) SMART for Linux (commercial)
Shadow (commercial)
Sleuthkit/Autopsy (free)
-
8/11/2019 Legal Issuess in Computer Forensics2
18/26
Computer Forensics
Collecting Evidence:
What to look for when analyzing filesystem bitcopies: Depends on nature of investigation
System Intrusion: Timeline of events
When were files Modified,Accessed,Created (MAC times)
Show all deleted Files Recover deleted files
Analyze log files and/or auditing data Recent logins
-
8/11/2019 Legal Issuess in Computer Forensics2
19/26
Computer Forensics
Collecting Evidence:
Filesystem Analysis cont.
Computer user investigation: Log files, auditing records to determine logins, login times,
where logged in from.
Web sites visited (web browser history)
Contents of web browser cache
Contents of images,emails and documents
Show and recover deleted files Search filesystem for keywords
C m t F si s L l Iss s t
-
8/11/2019 Legal Issuess in Computer Forensics2
20/26
Computer Forensics Legal Issues toConsider:
Note:
I am not a lawyer I am by no means a legal expert.
This is NOT legal advice. These are simply things toconsider when performing a forensic analysis orresponding to an incident.
ALWAYS check with the legal counsel of youremployer before conducting a forensic analysis, orinvestigation.
Computer Forensics Le al Issues to
-
8/11/2019 Legal Issuess in Computer Forensics2
21/26
Computer Forensics- Legal Issues toConsider:
While investigating ALWAYS avoid:
violating someones rights
Breaking the law yourself
Compromising the investigation by not following properprocedure.
Computer Forensics Legal Issues to
-
8/11/2019 Legal Issuess in Computer Forensics2
22/26
Computer Forensics - Legal Issues toConsider:
One should be aware of Federal ,State,Provincial and Local
computer laws when responding to an incident or performing aforensic analysis. (to cover yourself, not necessarily toprosecute)
U.S. Federal Laws to consider: Computer Fraud and Abuse Act (18 U.S.C. 1030):
Criminalizes attacks,intrusions and damage to protected computers
Wiretap Act (18 U.S.C. 2511) Criminalizes interception of voice and electronic communications.
Electronic Communications Privacy Act (ECPA 18 U.S.C. 2701-12) Governs access to stored voice and electronic communications and
data.
Computer Forensics Legal Issues to
-
8/11/2019 Legal Issuess in Computer Forensics2
23/26
Computer Forensics- Legal Issues toConsider:
Does company policy allow for analysis of computerwithout court subpoena?
Have employees signed a waiver or consented to anacceptable use policy which allows:
Network monitoring/traffic interception Access to any stored data on company computers
Does the waiver or policy cover personal computers
connected to the company network?
There are many things to consider, this is simply to
give you an idea of some of the issues you mayencounter.
-
8/11/2019 Legal Issuess in Computer Forensics2
24/26
Computer Forensics: Anti-Forensics
Anti-Forensics: Destroying or Hiding data to limit thesuccess of a forensic investigation.
Defilers Toolkit Alters inode data on ext2filesystems.
http://www.phrack.org/phrack/59/p59-0x06.txt
Metasploit Antiforensics
http://www.metasploit.com/projects/antiforensics/
Burneye Encrypts ELF binaries Attempts to defeat reverse engineering
burndump is a burneye un-wrapper.
http://www.phrack.org/phrack/59/p59-0x06.txthttp://www.phrack.org/phrack/59/p59-0x06.txt -
8/11/2019 Legal Issuess in Computer Forensics2
25/26
Computer Forensics: Anti-Forensics
Anti-Forensics continued
File encryption, encrypted filesystems, encrypted
disks
Magnetic Degausser Destroy the magnetic field on
magnetic media.
Commercial secure deletion or disk wiping
programs.
Good ol fashioned physical destruction of media
(sledge hammer etc)
-
8/11/2019 Legal Issuess in Computer Forensics2
26/26
Computer Forensics
Conclusion:
Every incident/investigation is unique.
The right thing to do comes from experience andlessons learned.
Any questions?