Digital forensics (Exam 1)
An investigator must exhibit the highest level of professional behavior at all times. This means :
-Maintain objectivity -Maintain credibility by maintaining confidentiality
An _____ form helps you document what has been done with the original evidence and its forensics copies -Also called a _____ form
evidence custody; chain-of-evidence;
____ command lists, creates, deletes, and verifies partitions in Linux
fdisk
Law enforcement officer may search for and seize criminal evidence only with _____
probable cause
Four methods of data collection
•Creating a disk-to-image file •Creating a disk-to-disk •Creating a logical disk-to-disk or disk-to-data file •Creating a sparse data copy of a file or folder
Redundant array of independent disks (RAID)
•Computer configuration involving two or more disks •Originally developed as a data-redundancy measure
Computer records are usually divided into:
•Computer-generated records •Computer-stored records
Training on digital forensics software (when? who introduced it?)
By the early 1990s, the International Association of Computer Investigative Specialists (IACIS) introduced training on software for digital forensics
Candidates who complete the IACIS test are designated as a ______
Certified Forensic Computer Examiner (CFCE)
Lab acceptance testing
Consider the following items: •Inspect the facility to make sure it meets security criteria for containing and controlling digital evidence •Test all communications •Test all hardware to verify it is operational •Install and start all software tools
Advantages and disadvantages
Design goals •Provide compressed or uncompressed image files •No size restriction for disk-to-image files •Provide space in the image file or segmented files for metadata •Simple design with extensibility •Open source for multiple platforms and Oss •Internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata AFF is open source
Advantages and disadvantages of proprietary formats
Most forensics tools have their own formats Advantages/ Features offered •Option to compress or not compress image files •Can split an image into smaller segmented files •Can integrate metadata into the image file Disadvantages •Inability to share an image between different tools •File size limitation for each segmented volume The Expert Witness Compression format is unofficial standard
A basic investigation plan should include the following activities:
-Acquire the evidence -Complete an evidence form and establish a chain of custody -Transport the evidence to a computer forensics lab -Secure evidence in an approved secure container -Prepare your forensics workstation -Retrieve the evidence from the secure container -Make a forensic copy of the evidence -Return the evidence to the secure container -Process the copied evidence with computer forensics tools
(Email abuse investigation) To conduct an investigation you need:
-An electronic copy of the offending e-mail that contains message header data -If available, e-mail server log records -For e-mail systems that store users' messages on a central server, access to the server -Access to the computer so that you can perform a forensic analysis on it -Your preferred computer forensics analysis tool
Digital Evidence First Responder (DEFR)
-Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence
Bit-stream copy
-Bit-by-bit copy of the original storage medium -Exact copy of the original disk -Different from a simple backup copy •Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments
dd ("data dump") command (what does it do? shortcomings?)
-Can read and write from media device and data file -Creates raw format file that most computer forensics analysis tools can read Shortcomings of dd command -Requires more advanced skills than average user -Does not compress data dd command combined with the split command -Segments output into separate volumes
Investigating digital devices includes:
-Collecting data securely -Examining suspect data to determine details such as origin and content -Presenting digital information to courts -Applying laws to digital device practices
Staff needed for Industrial Espionage Investigations
-Computing investigator who is responsible for disk forensic examinations -Technology specialist who is knowledgeable of the suspected compromised technical data -Network specialist who can perform log analysis and set up network sniffers -Threat assessment specialist (typically an attorney)
Examples of groups with authority
-Corporate security investigations -Corporate ethics office -Corporate equal employment opportunity office -Internal auditing The general counsel or legal department
Your job is to recover data from:
-Deleted files -File fragments -Complete files
ISC² Certified Cyber Forensics Professional (CCFP) •Requires knowledge of:
-Digital forensics -Malware analysis -Incident response -E-discovery Other disciplines related to cyber investigations
Private-sector crimes can involve:
-E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage
Bit-stream image
-File containing the bit-stream copy of all data on a disk or partition -Also known as "image" or "image file"
Digital Evidence Specialist (DES)
-Has the skill to analyze the data and determine when another specialist should be called in to assist
Steps for problem solving
-Make an initial assessment about the type of case you are investigating -Determine a preliminary design or approach to the case -Create a detailed checklist -Determine the resources you need -Obtain and copy an evidence drive -Identify the risks -Mitigate or minimize the risks -Test the design -Analyze and recover the digital evidence -Investigate the data you recover -Complete the case report -Critique the case
What must an affidavit include?
-Must include exhibits that support the allegation
(Internet Abuse Investigation) To conduct an investigation you need:
-Organization's Internet proxy server logs -Suspect computer's IP address -Suspect computer's disk drive -Your preferred computer forensics analysis tool
First rule of computer forensics
-Preserve the original evidence
Digital investigations fall into two categories:
-Public-sector investigations -Private-sector investigations
(Attorney-Client Privilege Investigations) steps of conducting the case
-Request a memorandum from the attorney directing you to start the investigation -Request a list of keywords of interest to the investigation -Initiate the investigation and analysis -For disk drive examinations, make two bit-stream images using different tools for each image -Compare hash signatures on all files on the original and re-created disks
Chain of custody
-Route the evidence takes from the time you find it until the case is closed or goes to court
Two types of evidence custody forms:
-Single-evidence form •Lists each piece of evidence on a separate page -Multi-evidence form
Assessing the Case - Systematically outline the case details:
-Situation -Nature of the case -Specifics of the case -Type of evidence -Known disk format -Location of evidence •Based on these details, you can determine the case requirements
dcfldd (command) functions
-Specify hex patterns or text for clearing disk space -Log errors to an output file for analysis and review -Use several hashing options -Refer to a status display indicating the progress of the acquisition in bytes -Split data acquisitions into segmented volumes with numeric extensions -Verify acquired data with original disk or media data
When conducting public-sector investigations, you must understand laws on computer-related crimes including:
-Standard legal processes -Guidelines on search and seizure -How to build a criminal case
Employees misusing resources can cost companies millions of dollars Misuse includes:
-Surfing the Internet -Sending personal e-mails -Using company computers for personal tasks
As an investigator, you need to develop formal procedures and informal checklists
-To cover all issues important to high-tech investigations -Ensures that correct techniques are used in an investigation
Validating evidence may be the most critical aspect of computer forensics. •Requires using a _______ utility
hashing algorithm
Logical acquisition or sparse acquisition
•Can take several hours; use when your time is limited •Logical acquisition captures only specific files of interest to the case •Sparse acquisition collects fragments of unallocated (deleted) data •For large disks •PST or OST mail files, RAID servers
ProDiscover Incident Response functions:
•Capture volatile system state information •Analyze current running processes •Locate unseen files and processes •Remotely view and listen to IP ports •Run hash comparisons •Create a hash inventory of all files remotely
Audits should include inspecting the following facility components and practices:
•Ceiling, floor, roof, and exterior walls of the lab •Doors and doors locks •Visitor logs •Evidence container logs •At the end of every workday, secure any evidence that's not being processed in a forensic workstation
Acquisition of RAID drives can be challenging and frustrating because of how RAID systems are: _____, ______, ______; What's the biggest concern?
•Designed •Configured •Sized Size is the biggest concern •Many RAID systems now have exabytes of data
AccessData Forensic Toolkit abilities
•Designed for viewing evidence disks and disk-to-image files •Makes disk-to-image copies of evidence drives - At logical partition and physical drive level - Can segment the image file •Evidence drive must have a hardware write-blocking device •Or run from a Live CD, such as Mini-WinFE
Any lab should have in stock:
•Digital camera •Assorted antistatic bags •External CD/DVD drive •IDE cables •Ribbon cables for floppy disks •Extra USB 3.0 or newer cables and SATA cards •SCSI cards, preferably ultrawide •Graphics cards, both PCI and AGP types •Assorted FireWire and USB adapters •Hard disk drives and USB drives •At least two 2.5-inch Notebook IDE hard drives to standard IDE/ATA or SATA adapter •Computer hand tools
Vendors offering RAID acquisition functions
•Guidance Software EnCase •X-Ways Forensics •AccessData FTK •Runtime Software •R-Tools Technologies
Expenses for a lab include
•Hardware •Software •Facility space •Training personnel
Maintain licensed copies of software such as:
•Microsoft Office (current and older version) •Hexadecimal editor •Programming languages (Visual Studio, Perl, or Python) •Specialized viewers (Quick View) •Third-party or open-source office suite •Quicken and QuickBooks accounting applications
Creating a disk-to-image file
•Most common method and offers most flexibility •Can make more than one copy •Copies are bit-for-bit replications of the original drive •Compatible with many commercial forensics tools
What are some well-designed Linux Live CDs for computer forensics?
•Penguin Sleuth Kit •CAINE •Deft •Kali Linux •Knoppix •SANS Investigative Forensic Toolkit (SIFT)
RAID 0
•Provides rapid access and increased storage •Biggest disadvantage is lack of redundancy
Three formats (data in forensics acquisition - img file)
•Raw format •Proprietary formats •Advanced Forensics Format (AFF)
RAID 6
•Redundant parity on each disk
Lab manager duties
•Set up processes for managing cases •Promote group consensus in decision making •Maintain fiscal responsibility for lab needs •Enforce ethical standards among lab staff members •Plan updates for the lab •Establish and promote quality-assurance processes •Set reasonable production schedules Estimate how many cases an investigator can handle
RAID 2
•Similar to RAID 1 •Data is written to a disk on a bit level •Has better data integrity checking than RAID 0 •Slower than RAID 0
RAID 4
•Similar to RAID 3 •Data is written in blocks
RAID 5
•Similar to RAIDs 0 and 3 •Places parity recovery data on each disk
When making a copy, consider:
•Size of the source disk -Lossless compression might be useful -Use digital signatures for verification •When working with large drives, an alternative is using lossless compression •Whether you can retain the disk •Time to perform the acquisition Where the evidence is located
Lab security - Minimum requirements
•Small room with true floor-to-ceiling walls •Door access with a locking mechanism •Secure container •Visitor's log •People working together should have same access level •Brief your staff about security policy
High-risk investigations demand more security than the minimum lab requirements ... you need ... alternatively you can use ...
•TEMPEST facilities -Electromagnetic Radiation (EMR) proofed •TEMPEST facilities are very expensive You can use low-emanation workstations instead
What to do when securing the evidence?
•Use evidence bags to secure and catalog the evidence •Use evidence tape to seal all openings •Write your initials on tape to prove that evidence has not been tampered with •Consider computer specific temperature and humidity ranges
Forensics investigators often work as part of a team, known as the investigations triad:
•Vulnerability/threat assessment and risk management -Tests and verifies the integrity of stand-along workstations and network servers •Network intrusion detection and incident response -Detects intruder attacks by using automated tools and monitoring network firewall logs •Digital investigations -Manages investigations and conducts forensics analysis of systems suspected of containing evidence
Creating a disk-to-disk
•When disk-to-image copy is not possible •Tools can adjust disk's geometry configuration •Tools: EnCase and X-Ways
Validating dd-acquired data
•You can use md5sum or sha1sum utilities •md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes
How you configure the work area will depend on:
•Your budget •Amount of available floor space •Number of computers you assign to each computing investigator
Criteria that must be met for plain view doctrine
-Officer is where he or she has a legal right to be -Ordinary senses must not be enhanced by advanced technology in any way -Any discovery must be by chance
initial-response field kit
A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.
extensive-response field kit
A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.
advantages and disadvantages of acquisition tools for Windows
Advantages -Make acquiring evidence from a suspect drive more convenient •Especially when used with hot-swappable devices Disadvantages -Must protect acquired data with a well-tested write-blocking hardware device -Tools can't acquire data from a disk's host protected area -Some countries haven't accepted the use of write-blocking devices for data acquisitions
Whole disk encryption feature in Windows called _____ makes static acquisitions more difficult
BitLocker
•The media you use to store digital evidence usually depends on how long you need to keep it
CDs, DVDs - Lifespan: 2 to 5 years Solid-state USB drives - Optimum choice, More durable Magnetic tapes - 4-mm DAT - Capacity: 40 to 72 GB, Slow read and write speeds, Lifespan: 30 years Super Digital Linear Tape (Super-DLT or SDLT) - Specifically designed for large RAID data backups Can store more than 1 TB of data Don't rely on one media storage method to preserve your evidence •Make two copies of every image to prevent data loss •Use different tools to create the two images
Validation techniques
CRC-32, MD5, and SHA-1 to SHA-512
By late 1990s, CART teamed up with __________
Department of Defense Computer Forensics Laboratory (DCFL)
Digital evidence
Evidence consisting of information stored or transmitted in electronic form.
ASR Data created _____ for Macintosh
Expert Witness
______ was formed in 1984 to handle cases involving digital evidence
FBI Computer Analysis and Response Team (CART)
___ created search-warrant programs
IRS
What tool enables you to build a Windows forensic boot CD/DVD or USB drive so that connected drives are mounted as read-only?
Mini-WinFE
Nonkeyed and keyed hash set
Most digital forensics hashing needs can be satisfied with a nonkeyed hash set •A unique hash number generated by a software tool, such as the Linux md5sum command Keyed hash set •Created by an encryption utility's secret key
What goes into a Business Case?
Planning ahead to ensure that money is available for facilities, tools, supplies, and training for your forensics lab - Justification (why is the lab needed?) - Budget development (facility, hardware, softare, misc. budget needs) - Approval and acquisition (present the budget to upper management) - Implementation (how will you implement approved items, delivery, installation and completion dates as well as scheduled inspection dates)
Probable cause
Refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest
Types of acquisitions
Static acquisitions and live acquisitions
________ updates information on computer search and seizure regularly
The Department of Justice (DOJ)
Federal Rules of Evidence (FRE)
The Federal Rules of Evidence (FRE) was created to ensure consistency in federal proceedings -Signed into law in 1973
_______ protects everyone's right to be secure from search and seizure
The Fourth Amendment to the U.S. Constitution -Separate search warrants might not be necessary for digital evidence
Digital forensics
The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation
Witness or victim (of crime) makes _______ (1) to the police, before starting a criminal investigation. Then the police interview the complainant and write a ______ (2) about the crime. Finally, the _____ (2) is processed and management decides to start an investigation or log the information in a police _____ (database of previous crimes)
allegation; report; blotter;
Most important policies define rules for using the company's computers and networks. Known as ________
an "Acceptable use policy"
Businesses are advised to specify _____ who has the power to initiate investigations
an authorized requester
Data in a forensics acquisition tool is stored as ___
an image file
When statutes don't exist, ____ is used
case law
In the private sector, incident scene is often in a _____ and _____ area
contained and controlled
Public-sector investigations focus more on ________ and ________ while private-sector investigations focus more on _______
criminal investigations and prosecution; policy violations;
Professional conduct - includes ______, ______ and ________
ethics, morals, and standards of behavior
RAID 10 (1+0), or mirrored striping
•Combination of RAID 1 and RAID 0 •Provides fast access and redundancy
Case law
made when an appellate court endorses a rule to be used in deciding court cases. -Allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws
_______ command formats a FAT file system from Linux
mkfs.msdos
•Non-government organizations (NGO) must comply with state _______ and federal ________ laws
public disclosure; Freedom of Information Act (FOIA)
Businesses can reduce the risk of litigation by ...
publishing and maintaining policies that employees find easy to read and follow
Occasionally, a RAID system is too large for a static acquisition. In those situations ...
retrieve only the data relevant to the investigation with the sparse or logical acquisition method
RAID 15 (1+5)
•Combination of RAID 1 and RAID 5 •More costly option
A criminal investigation usually begins when ...
someone finds evidence of or witnesses a crime
Line of authority
states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
ASR Data SMART
•A Linux forensics analysis tool that can make image files of a suspect drive •Can produce proprietary or raw format images •Capabilities: •Data reading of bad sectors •Can mount drives in write-protected mode •Can mount target drives in read/write mode •Compression schemes to speed up acquisition or reduce amount of storage needed
Your budget
•Amount of available floor space •Number of computers you assign to each computing investigator
RAID 1
•Designed for data recovery •More expensive than RAID 0
Remote connection security features
•Password protection •Encryption •Secure communication protocol •Write-protected trusted binaries •Digital signatures
PDServer remote agent
•ProDiscover utility for remote access •Needs to be loaded on the suspect
HAZMAT guidelines
•Put the target drive in a special HAZMAT bag •HAZMAT technician can decontaminate the bag •Check for high temperatures
Best evidence rule states:
•To prove the content of a written document, recording, or photograph, ordinarily the original file is required
Validating dcfldd acquired data
•Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 •hashlog option outputs hash results to a text file that can be stored with the image files •vf (verify file) option compares the image file to the original medium
RAID 3
•Uses data stripping and dedicated parity •Requires at least three disks
Completing a case
- You need to file a final report that has conclusive evidence - the suspect did or did not commit a crime/ violate a company policy - Your findings need to be repeatable
Affidavit
- a sworn statement of support of facts about or evidence of a crime
During private investigations, you search for evidence to support allegations of violations of a company's rules or an attack on its assets Three types of situations are common:
-Abuse or misuse of computing assets -E-mail abuse -Internet abuse
Advantages and disadvantages of raw format
Advantages •Fast data transfers •Ignores minor data read errors on source drive •Most computer forensics tools can read raw format Disadvantages •Requires as much storage as original disk or data •Tools might not collect marginal (bad) sectors