Digital Forensics
A documentation trail is beneficial but not required.
False
Digital evidence is not volatile.
False
Should you touch a drive that was attacked
No, you dont want to make changes to the system while examining it.
FBI Forensic Guidelines
Preserve the state of the computer -make a backup copy of the logs and files - the incident in progress, activate any auditing or recording software. -collect all the data you can Document specific losses including: labor costs costs of damaged equipment Value of data lost or stolen Lost revenue due to downtime
Which activity is not usually included in computer forensics?
The examination of physical systems
The Window Registry contains a list of USB devices that have been connected to the machine.
True
Detection
•Determining if an incident or attempt has been made •IDS •Initial actions/reactions •Determining the scope •Reporting process
Physical vs Digital Crime Scenes
•Overlapping principles • •The basics of criminalistics are constant physical and digital • •Locard's principle applies "When a person commits a crime something is always left at the scene of the crime that was not present when the person arrived"
Eradication/Repair,Recovery
•Recovering systems •Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) •Hardening systems •Dealing with patches
Follow up
•Review the incident and how it was handled •Postmortem analysis •Lessons learned •Follow-up reporting
Collection: Imaging
•Rule of Thumb: make 2 copies and don't work from the original (if possible) •A file copy does not recover all data areas of the device for examination •Working from a duplicate image •Preserves the original evidence •Prevents inadvertent alteration of original evidence during examination •Allows recreation of the duplicate image if necessary
Affidavit and Search Warrant
•Sworn testimony that certain facts are in the possession of the investigating officer that they feel warrant the examination of specific items located at a specific place •The facts, the items, and the place must be specified •When an approving authority signs the affidavit, it becomes a search warrant, giving permission to: •Search the EM at the specified location •Seize items to return to the investigator for examination
The 3 A's
Acquire the evidence without altering or damaging the original Authenticate the image Analyze the data without modifying it
In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court
Chain of Custody
___________________ can include logs, portable storage, emails, tablets, and cell phones.
Computer Evidence
Basic Principles
Digital/electronic evidence is extremele volatile Once evidence is contaiminated it cannot be de contaminated. Chain of custody is crucial court acceptance is based on the best evidence rule "best the nature of the case will allow"
Documentation
Document everything possible
Most Windows logs are turned on automatically.
False
With a computer, always work on the original since when a person commits a crime something is always left behind.
False
Why should you note all cable connections for a computer you want to seize as evidence?
In case other devices were connected
Components of PDCAERF
Preperation Detection Containment Analysis Eradication Repair Follow up
When an affidavit is signed, it becomes a search warrant
True
Evidentiary material
any information that could potentially support organizations legal or policy based case against suspect
When to take a computer offline
as soon as it was attacked, will prevent further tampering.
Evidentiary Procedures
having good procedures can minimize the change of losing a legal battle. •Who may conduct an investigation and who is authorized in an investigation •What affidavit- and search warrant-related issues are required •The methodology to be followed •The final report format
Why do we study it
the director of FBI expects 50% of cases to involve forensic examination
Digital Forensics Defined
the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence. used to investigate what happened during attack on assets and how attack occured
Digital Forensics used for two key purposes
to investigate allegations of digital malfeasance to perform root cause analysis
Forensically sound evidence
used to characterize methods to securely copy data. One method to create forensically sound copies is to utilize disk imaging. This is the process of copying a hard drive to store a backup/ In this process, all the drive's information will be copied including boot records. Most digital forensics professionals state that the image must be a 'bit-for-bit' copy and you must verify the authenticity and reliability of the copy.
Preperation
•Being ready to respond •Procedures & policies •Resources & CSIRT creation •Current vulnerabilities & counter-measures
Examples of digital evidence
•Browser - direct and circumstantial evidence •Pornography - direct •Cyber stalking - direct •Creation of a virus - circumstantial •History - information •Window Logs •Security logs - successful and unsuccessful login event •Application log - events logged by applications and programs •System log - event logged by Windows system components •Forwarded Events log - events collected from remote computers •Applications and Service logs - store events from a single application or component. •Linux logs •Deleted Files •Mobile phones •Logs •Portable devices (USB drives, external drives) •Emails •Devices that store data - iPod, iPad, tablets •Cell phones
Collection
•Care must be taken to minimize contamination •Collect or seize the system, network trace •Create forensic image •Live or static? •Do you own the system •What does your policy say?
myths and misconceptions
•Cyber-criminals are computer experts with a high technical ability •Cyber-criminals have higher than average IQs •All cyber-criminals are introverts •Cyber-criminals are never violent •Cyber-criminals are not "real" criminals •Cyber-criminals fit one "neat" profile
Secret Service Guidelines
•For First Responders: •Secure scene and make it safe •Secure computer •Determine if you have legal right to seize computer •Do not try to access files or turn computer on if off •Do not search computer if it is on •Shut down the computer if it appears to be deleting files. •Take pictures of the computer screen
Analysis
•How the incident occurred •More in-depth analysis of the event •Tracing the incident back to its source
Methodology for Digital Forensics
•Identify relevant items of evidentiary value (EM) •Acquire (seize) the evidence without alteration or damage •Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized •Analyze the data without risking modification or unauthorized access •Report the findings to the proper authority
Containment
•Limit the extent of an attack •Mitigate the potential damage & loss •Containment strategies
Identifcation
•More difficult than it sounds •Small scale devices •Non-traditional storage media •Multiple possible crime scenes •Do not operate in a vacuum •Do not overlook non-electronic sources of evidence •Manuals, papers, printouts, etc.
Digital Forensics Team
•Most organizations •Cannot sustain a permanent digital forensics team •Collect data and outsource analysis •Information security group personnel should be trained to understand and manage the forensics process to avoid contamination of potential EM •Expertise can be obtained by training
Collection: Documentation
•Take detailed photos and notes of the computer / monitor •If the computer is "on", take photos of what is displayed on the monitor DO NOT ALTER THE SCENE •Make sure to take photos and notes of all connections to the computer/other devices
Chain of Custody
•detailed documentation showing the status of evidence at everyone point in time from the moment of seizure to the moment the evidence is presented in court. the chronological documentation or paper trail that records the sequence of custody anytime that evidence is transferred it has to be documented •Any break in that chain could render the evidence inadmissible at trail.
Basic Activities involved
•the secure collection of computer data •the identification of suspect data •the examination of suspect data to determine details such as origin and content •the presentation of computer-based information to courts of law •the application of a country's laws to computer practice.