Test 2
Challenges of Mobile Technology
A wide variety of devices means there is no "one" tool Ease of connectivity adds to the risk that evidence can be compromised Legal issues can be very convoluted
Memory Capture Procedures
Start the documentation process Run a batch file that collects user information, network connections, time/date, and open files Collect a memory dump Copy the paging file Copy any hibernation files
Advanced Search Methods
Stationary User Profiles - a method of determining if a user makes use of multiple accounts Similar Users- a way of determining is what appears to be a single user is actually multiple users Attachment Statistics- a user's typical behavior regarding attachments is analyzed
Three steps in the initiation of any forensic investigation (chapter 7):
Secure the crime scene Remove individuals involved Document all activity.
Computer Online Forensic Evidence Extractor
This tool was created by Microsoft specifically for use by law enforcement. It is an online tool that is being provided free of charge to law-enforcement agencies by Microsoft. This tool is meant to be very easy to use so that with minimal training, any law-enforcement agent can utilize the tool. It is also meant to be used on live systems. This tool has the ability to do the following: Decrypt passwords. Search a computer's Internet activity. Analyze what is live in volatile memory.
3 areas of the law that you have to be aware of (chapter 7)
1. Constitutional rights and restrictions 2. Legislated privacy regulations 3. Working beneath the corporate shield
Sequence of Search and seizure (chapter 7)
1. Investigator requests warrant 2. Judge issues search warrant 3. Search, Find and Seize 4. For digital evidence, material is seized and transported to another location
Applications and services logs
Applications and services logs are a new category of event logs. These logs store events from a single application or component rather than events that might have systemwide impact. This can reveal problems with a specific application or Windows component. This is not as interesting from a forensic perspective as the other logs are.
guidlines
Be honest with all answers. Don't guess or speculate. Don't forget you have a right to confer with counsel. Don't volunteer information. Remain calm and polite. Correct mistakes. Never joke in a deposition. Be aware of traps Don't make small talk or chat. Don't waive the reading
How Logs get Cleared
Clearing the log; any user with administrative privileges can simply sip out a log. However, this will be obvious when you see an empty event log. Using auditpol.exe. This is an administrative utility that exists in Windows systems. It won't show on the desktop or in the programs; you have to know it's there and go find it. Using auditpol \ipaddress /disable turns off logging. Then, when the criminal exits, he or she can use auditpol\ipaddress /enable to turn it back on. There are a number of utilities on the Web that can assist an attacker in this process. For example, WinZapper allows one to selectively remove certain items from event logs in Windows.
Document specific losses (chapter 7)
Cost of equipment (if damaged) Labor cost spent in response and recovery (multiply the number of participating staff by their hourly rates) If data was stolen/lost what was the value?
Disk Image File Formats
DD Images (bit-for-bit) Expert Witness Format (EWF) Advanced Forensic Format Safeback (by NTI) ILook Imager ProDiscover File Format
Evidence from the Browser
Depending on the computer crime in question one might find evidence in the browser When using internet Explorer, one can go to the toolbar and see the entire browsing history for that user. Another thing to check is the title bar. Some people do not realize that this is separate from the history. The title bar only web addresses that are typed in, not websites that are searched for via a search engine such as Google or Yahoo.
DECAF
Detect and Eliminate Computer Assisted Forensics. DECAF provides real-time monitoring for COFEE signatures and will attempt to interfere with the operation of COFEE.DECAF is a utility specifically created for the obstruction of COFEE.
The Sleuth Kit
Disk Investigator is a free utility that comes as a graphic user interface for use with Windows.
Media Capture
Document everything Use a forensic write-blocker when copying any data Do NOT use standard copy utilities to make copies Store all images on forensically sound media
Router and Switch Forensics
Don't analyze device over network Enable logging before connecting to the device Record all volatile information first Record time-date stamps
Tracing the Origin of a Message
Each server that relays the message adds its IP address Each relay server maintains logs for a certain period of time that indicates the IP address of the sender as well as the intended recipient While the time stamp can be manipulated at the origin, the ones added along the way are likely real
Email Addresses
Each user Id Must be unique to a particular domain The same user ID on a different domain may or may not represent the same user User Ids are easily spoofed with the right software
Email Forensics
Email is often the best evidence Contents can demonstrate intent Header data can demonstrate the source Timestamps can show intent to mislead Show up as evidence in a vast majority of cases MUA: Mail Use MTA: Mail Transport
Search Results
False Positives - looks right but isn't False Negatives-- doesn't look right, but is A measure of accuracy is "precision" Ratio of false positives to false negatives A measure of effectiveness is "recall" Percentage of relevant emails that were found
Sources of Evidence (chapter 7)
Hard drives System logs Portable storage (USB) Router Logs Emails Chat room logs Logs from security devices such as firewalls and intrusion detection systems Databases and database logs.
/var/log/apache2/*:
If this machine is running the Apache Web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the Web server.
Recovering Files from Windows
In the Windows operating system, the file records are in a table called a File Allocation Table (FAT). Incidentally, that is where the FAT and FAT32 names come from for the file systems used in Windows 3.1 and Windows 95/98. Since Windows 2000, Microsoft operating systems have used NTFS for their file system; however, NTFS still keeps a file table. When a file is deleted, it is first moved to the Recycle Bin. You should always check here first as a file in the recycle bin can simply be restored. If the suspect has already emptied the Recycle Bin, don't worry; all is not lost. The way Windows works is that when you delete a file, it is actually just moved to a new location, the Recycle Bin. When you empty the Recycle Bin, the file is simply removed from the file allocation table—but it is still on the hard drive.
Memory Capture Tips
Keep your memory footprint to a minimum Run from a flash drive if possible Copy memory image to an external device Make sure device capturing image can handle large files Computers today have large amounts of RAM Many USB drives continue to be formatted to FAT32 (4GB maximum file size)
Encase
Know your own operating system Know their operating system Don't attempt to copy files bc it'll change the time stamps (or alter files) Create a folder for forensic cases → specify which case it is → then create three subfolders, an export folder, a temporary folder, and an index folder Evidence file contains the header, the checksum, and the data blocks. Evidence File is an exact copy of the hard drive (verified with the cyclical redundancy (CRC)) Encase will calculate a MD5 when the drive is acquired
Never work on the Original
Make forensically sound copies Keep a master copy and make several working copies Calculate a hash value of each copy and make sure they match Each copy must have a unique identifier
Capturing Memory
Memory is a device Memory can be dumped into a file The amount of memory capture may be different from the amount of installed RAM Some utilities capture device cache memory Some utilities don't capture installed RAM devoted as a device cache
Chat Room Logs
Most Chat software keeps at least a temporary log of conversations. This is true for MSN Messenger, Yahoo Messenger, and many others. The exact path for viewing those logs will vary from product to product.
Memory Capture Utilities
Most commercial forensic suites offer memory capture capability DD Utility (both Windows and Linux) Dumpit Memorize
MIME
Multipurpose Internet Mail Extensions (MIME) is an internet standard that extends the format of email to support: Text in character sets other than ASCII Non-text attachments: audio, video, images, application programs etc. Message bodies with multiple parts. Header information in non-ASCII character sets
Documenting the Crime Scene (chapter 7)
Record the brand, make, model, and serial number of every device present Note whether the computers present are on, off, or in sleep mode Determine if the computers are part of a network Record the status of all lights on the system. Flashing network lights can indicate a live TCP/IP Connection Listen to the system for excessive hard disk activity. This could indicate an active connection or data transfer Identify any peripherals that are installed or connected. Look for documentation specific to devices not currently present. Photograph the back of the computer and identify what devices are plugged into what ports. Before the investigator leaves the scene, each person present should be added to a contact list with names, titles, phone numbers and e-mail addresses for future contact. Provide a brief description of their role in the drama.
Router Data to Collect
Router OS Router Logs Startup and running configurations Routing tables Access lists Nat translation tables List of interfaces
Memory and running Processes:
Routing tables can be extracted from memory Network connections reside in RAM
running Processes
Running processes can identify malware running on the system
ForwardedEvents log
The ForwardedEvents log is used to store events collected from remote computers. This log is important in a networked environment.
Security log
The most important things you will find in the security log are successful and unsuccessful logon attempts
Setup log
The setup log contains events related to application setup. This will show new applications installed on the machine.
System log
The system log contains events logged by Windows system components. This includes events like driver failures. This particular log is not as interesting from a forensic perspective as the other logs are.
Application log
This log contains various events logged by applications or programs
Recovering Files from Unix/Linux
When using Unix or a related operating system such as Linux or free BSD, when a file is deleted, the link counter is decreased. As soon as the link counter hits 0, the file is ''unlinked,'' and thus removed. Because Linux is a multiuser and multitasking operating system, other users or processes can overwrite deleted file disk space. So you first need to take the system down to single-user mode. A file can be undeleted by using the debugfs tool: first changing the deletion time to 0, next increasing the link count to 1. Afterward, running e2fsck will enable you to map the unlinked clusters to the lost+found directory.
Depositions
a sworn testimony-- is a witness's out-of-court testimony that is reduced to writing for later use in court or for discovery purposes.
ILook
acquire and analyze digital media, not free or open source
CRC (Cyclical redundancy check) or MD (message digest) (chapter 7)
are computer algorithms that produce unique mathematical representations of the data.
Accessdata toolkit
deliver analysis, decryption, and password cracking all within an intuitive, customization, and user-friendly interface on up to 3 computers. Two very important features of this tool are its ability to analyze the Windows Registry and its ability to crack passwords. & has explicit image detection
Efense helix
exams hard drives, Can grab live volatile evidence from RAM or from USB-attached devices, monitor employee usage, take screen shots of various PC screens.
Order of Volatility
refers to the order in which you should collect evidence RAM Temporary files Local disks External storage media Network attached storage (NAS or SAN) Archival backups