Digital forensics (Exam 1)

An investigator must exhibit the highest level of professional behavior at all times. This means :

-Maintain objectivity -Maintain credibility by maintaining confidentiality

An _____ form helps you document what has been done with the original evidence and its forensics copies -Also called a _____ form

evidence custody; chain-of-evidence;

____ command lists, creates, deletes, and verifies partitions in Linux

fdisk

Law enforcement officer may search for and seize criminal evidence only with _____

probable cause

Four methods of data collection

•Creating a disk-to-image file •Creating a disk-to-disk •Creating a logical disk-to-disk or disk-to-data file •Creating a sparse data copy of a file or folder

Redundant array of independent disks (RAID)

•Computer configuration involving two or more disks •Originally developed as a data-redundancy measure

Computer records are usually divided into:

•Computer-generated records •Computer-stored records

Training on digital forensics software (when? who introduced it?)

By the early 1990s, the International Association of Computer Investigative Specialists (IACIS) introduced training on software for digital forensics

Candidates who complete the IACIS test are designated as a ______

Certified Forensic Computer Examiner (CFCE)

Lab acceptance testing

Consider the following items: •Inspect the facility to make sure it meets security criteria for containing and controlling digital evidence •Test all communications •Test all hardware to verify it is operational •Install and start all software tools

Advantages and disadvantages

Design goals •Provide compressed or uncompressed image files •No size restriction for disk-to-image files •Provide space in the image file or segmented files for metadata •Simple design with extensibility •Open source for multiple platforms and Oss •Internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata AFF is open source

Advantages and disadvantages of proprietary formats

Most forensics tools have their own formats Advantages/ Features offered •Option to compress or not compress image files •Can split an image into smaller segmented files •Can integrate metadata into the image file Disadvantages •Inability to share an image between different tools •File size limitation for each segmented volume The Expert Witness Compression format is unofficial standard

A basic investigation plan should include the following activities:

-Acquire the evidence -Complete an evidence form and establish a chain of custody -Transport the evidence to a computer forensics lab -Secure evidence in an approved secure container -Prepare your forensics workstation -Retrieve the evidence from the secure container -Make a forensic copy of the evidence -Return the evidence to the secure container -Process the copied evidence with computer forensics tools

(Email abuse investigation) To conduct an investigation you need:

-An electronic copy of the offending e-mail that contains message header data -If available, e-mail server log records -For e-mail systems that store users' messages on a central server, access to the server -Access to the computer so that you can perform a forensic analysis on it -Your preferred computer forensics analysis tool

Digital Evidence First Responder (DEFR)

-Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence

Bit-stream copy

-Bit-by-bit copy of the original storage medium -Exact copy of the original disk -Different from a simple backup copy •Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments

dd ("data dump") command (what does it do? shortcomings?)

-Can read and write from media device and data file -Creates raw format file that most computer forensics analysis tools can read Shortcomings of dd command -Requires more advanced skills than average user -Does not compress data dd command combined with the split command -Segments output into separate volumes

Investigating digital devices includes:

-Collecting data securely -Examining suspect data to determine details such as origin and content -Presenting digital information to courts -Applying laws to digital device practices

Staff needed for Industrial Espionage Investigations

-Computing investigator who is responsible for disk forensic examinations -Technology specialist who is knowledgeable of the suspected compromised technical data -Network specialist who can perform log analysis and set up network sniffers -Threat assessment specialist (typically an attorney)

Examples of groups with authority

-Corporate security investigations -Corporate ethics office -Corporate equal employment opportunity office -Internal auditing The general counsel or legal department

Your job is to recover data from:

-Deleted files -File fragments -Complete files

ISC² Certified Cyber Forensics Professional (CCFP) •Requires knowledge of:

-Digital forensics -Malware analysis -Incident response -E-discovery Other disciplines related to cyber investigations

Private-sector crimes can involve:

-E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage

Bit-stream image

-File containing the bit-stream copy of all data on a disk or partition -Also known as "image" or "image file"

Digital Evidence Specialist (DES)

-Has the skill to analyze the data and determine when another specialist should be called in to assist

Steps for problem solving

-Make an initial assessment about the type of case you are investigating -Determine a preliminary design or approach to the case -Create a detailed checklist -Determine the resources you need -Obtain and copy an evidence drive -Identify the risks -Mitigate or minimize the risks -Test the design -Analyze and recover the digital evidence -Investigate the data you recover -Complete the case report -Critique the case

What must an affidavit include?

-Must include exhibits that support the allegation

(Internet Abuse Investigation) To conduct an investigation you need:

-Organization's Internet proxy server logs -Suspect computer's IP address -Suspect computer's disk drive -Your preferred computer forensics analysis tool

First rule of computer forensics

-Preserve the original evidence

Digital investigations fall into two categories:

-Public-sector investigations -Private-sector investigations

(Attorney-Client Privilege Investigations) steps of conducting the case

-Request a memorandum from the attorney directing you to start the investigation -Request a list of keywords of interest to the investigation -Initiate the investigation and analysis -For disk drive examinations, make two bit-stream images using different tools for each image -Compare hash signatures on all files on the original and re-created disks

Chain of custody

-Route the evidence takes from the time you find it until the case is closed or goes to court

Two types of evidence custody forms:

-Single-evidence form •Lists each piece of evidence on a separate page -Multi-evidence form

Assessing the Case - Systematically outline the case details:

-Situation -Nature of the case -Specifics of the case -Type of evidence -Known disk format -Location of evidence •Based on these details, you can determine the case requirements

dcfldd (command) functions

-Specify hex patterns or text for clearing disk space -Log errors to an output file for analysis and review -Use several hashing options -Refer to a status display indicating the progress of the acquisition in bytes -Split data acquisitions into segmented volumes with numeric extensions -Verify acquired data with original disk or media data

When conducting public-sector investigations, you must understand laws on computer-related crimes including:

-Standard legal processes -Guidelines on search and seizure -How to build a criminal case

Employees misusing resources can cost companies millions of dollars Misuse includes:

-Surfing the Internet -Sending personal e-mails -Using company computers for personal tasks

As an investigator, you need to develop formal procedures and informal checklists

-To cover all issues important to high-tech investigations -Ensures that correct techniques are used in an investigation

Validating evidence may be the most critical aspect of computer forensics. •Requires using a _______ utility

hashing algorithm

Logical acquisition or sparse acquisition

•Can take several hours; use when your time is limited •Logical acquisition captures only specific files of interest to the case •Sparse acquisition collects fragments of unallocated (deleted) data •For large disks •PST or OST mail files, RAID servers

ProDiscover Incident Response functions:

•Capture volatile system state information •Analyze current running processes •Locate unseen files and processes •Remotely view and listen to IP ports •Run hash comparisons •Create a hash inventory of all files remotely

Audits should include inspecting the following facility components and practices:

•Ceiling, floor, roof, and exterior walls of the lab •Doors and doors locks •Visitor logs •Evidence container logs •At the end of every workday, secure any evidence that's not being processed in a forensic workstation

Acquisition of RAID drives can be challenging and frustrating because of how RAID systems are: _____, ______, ______; What's the biggest concern?

•Designed •Configured •Sized Size is the biggest concern •Many RAID systems now have exabytes of data

AccessData Forensic Toolkit abilities

•Designed for viewing evidence disks and disk-to-image files •Makes disk-to-image copies of evidence drives - At logical partition and physical drive level - Can segment the image file •Evidence drive must have a hardware write-blocking device •Or run from a Live CD, such as Mini-WinFE

Any lab should have in stock:

•Digital camera •Assorted antistatic bags •External CD/DVD drive •IDE cables •Ribbon cables for floppy disks •Extra USB 3.0 or newer cables and SATA cards •SCSI cards, preferably ultrawide •Graphics cards, both PCI and AGP types •Assorted FireWire and USB adapters •Hard disk drives and USB drives •At least two 2.5-inch Notebook IDE hard drives to standard IDE/ATA or SATA adapter •Computer hand tools

Vendors offering RAID acquisition functions

•Guidance Software EnCase •X-Ways Forensics •AccessData FTK •Runtime Software •R-Tools Technologies

Expenses for a lab include

•Hardware •Software •Facility space •Training personnel

Maintain licensed copies of software such as:

•Microsoft Office (current and older version) •Hexadecimal editor •Programming languages (Visual Studio, Perl, or Python) •Specialized viewers (Quick View) •Third-party or open-source office suite •Quicken and QuickBooks accounting applications

Creating a disk-to-image file

•Most common method and offers most flexibility •Can make more than one copy •Copies are bit-for-bit replications of the original drive •Compatible with many commercial forensics tools

What are some well-designed Linux Live CDs for computer forensics?

•Penguin Sleuth Kit •CAINE •Deft •Kali Linux •Knoppix •SANS Investigative Forensic Toolkit (SIFT)

RAID 0

•Provides rapid access and increased storage •Biggest disadvantage is lack of redundancy

Three formats (data in forensics acquisition - img file)

•Raw format •Proprietary formats •Advanced Forensics Format (AFF)

RAID 6

•Redundant parity on each disk

Lab manager duties

•Set up processes for managing cases •Promote group consensus in decision making •Maintain fiscal responsibility for lab needs •Enforce ethical standards among lab staff members •Plan updates for the lab •Establish and promote quality-assurance processes •Set reasonable production schedules Estimate how many cases an investigator can handle

RAID 2

•Similar to RAID 1 •Data is written to a disk on a bit level •Has better data integrity checking than RAID 0 •Slower than RAID 0

RAID 4

•Similar to RAID 3 •Data is written in blocks

RAID 5

•Similar to RAIDs 0 and 3 •Places parity recovery data on each disk

When making a copy, consider:

•Size of the source disk -Lossless compression might be useful -Use digital signatures for verification •When working with large drives, an alternative is using lossless compression •Whether you can retain the disk •Time to perform the acquisition Where the evidence is located

Lab security - Minimum requirements

•Small room with true floor-to-ceiling walls •Door access with a locking mechanism •Secure container •Visitor's log •People working together should have same access level •Brief your staff about security policy

High-risk investigations demand more security than the minimum lab requirements ... you need ... alternatively you can use ...

•TEMPEST facilities -Electromagnetic Radiation (EMR) proofed •TEMPEST facilities are very expensive You can use low-emanation workstations instead

What to do when securing the evidence?

•Use evidence bags to secure and catalog the evidence •Use evidence tape to seal all openings •Write your initials on tape to prove that evidence has not been tampered with •Consider computer specific temperature and humidity ranges

Forensics investigators often work as part of a team, known as the investigations triad:

•Vulnerability/threat assessment and risk management -Tests and verifies the integrity of stand-along workstations and network servers •Network intrusion detection and incident response -Detects intruder attacks by using automated tools and monitoring network firewall logs •Digital investigations -Manages investigations and conducts forensics analysis of systems suspected of containing evidence

Creating a disk-to-disk

•When disk-to-image copy is not possible •Tools can adjust disk's geometry configuration •Tools: EnCase and X-Ways

Validating dd-acquired data

•You can use md5sum or sha1sum utilities •md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes

How you configure the work area will depend on:

•Your budget •Amount of available floor space •Number of computers you assign to each computing investigator

Criteria that must be met for plain view doctrine

-Officer is where he or she has a legal right to be -Ordinary senses must not be enhanced by advanced technology in any way -Any discovery must be by chance

initial-response field kit

A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field.

extensive-response field kit

A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives.

advantages and disadvantages of acquisition tools for Windows

Advantages -Make acquiring evidence from a suspect drive more convenient •Especially when used with hot-swappable devices Disadvantages -Must protect acquired data with a well-tested write-blocking hardware device -Tools can't acquire data from a disk's host protected area -Some countries haven't accepted the use of write-blocking devices for data acquisitions

Whole disk encryption feature in Windows called _____ makes static acquisitions more difficult

BitLocker

•The media you use to store digital evidence usually depends on how long you need to keep it

CDs, DVDs - Lifespan: 2 to 5 years Solid-state USB drives - Optimum choice, More durable Magnetic tapes - 4-mm DAT - Capacity: 40 to 72 GB, Slow read and write speeds, Lifespan: 30 years Super Digital Linear Tape (Super-DLT or SDLT) - Specifically designed for large RAID data backups Can store more than 1 TB of data Don't rely on one media storage method to preserve your evidence •Make two copies of every image to prevent data loss •Use different tools to create the two images

Validation techniques

CRC-32, MD5, and SHA-1 to SHA-512

By late 1990s, CART teamed up with __________

Department of Defense Computer Forensics Laboratory (DCFL)

Digital evidence

Evidence consisting of information stored or transmitted in electronic form.

ASR Data created _____ for Macintosh

Expert Witness

______ was formed in 1984 to handle cases involving digital evidence

FBI Computer Analysis and Response Team (CART)

___ created search-warrant programs

IRS

What tool enables you to build a Windows forensic boot CD/DVD or USB drive so that connected drives are mounted as read-only?

Mini-WinFE

Nonkeyed and keyed hash set

Most digital forensics hashing needs can be satisfied with a nonkeyed hash set •A unique hash number generated by a software tool, such as the Linux md5sum command Keyed hash set •Created by an encryption utility's secret key

What goes into a Business Case?

Planning ahead to ensure that money is available for facilities, tools, supplies, and training for your forensics lab - Justification (why is the lab needed?) - Budget development (facility, hardware, softare, misc. budget needs) - Approval and acquisition (present the budget to upper management) - Implementation (how will you implement approved items, delivery, installation and completion dates as well as scheduled inspection dates)

Probable cause

Refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest

Types of acquisitions

Static acquisitions and live acquisitions

________ updates information on computer search and seizure regularly

The Department of Justice (DOJ)

Federal Rules of Evidence (FRE)

The Federal Rules of Evidence (FRE) was created to ensure consistency in federal proceedings -Signed into law in 1973

_______ protects everyone's right to be secure from search and seizure

The Fourth Amendment to the U.S. Constitution -Separate search warrants might not be necessary for digital evidence

Digital forensics

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation

Witness or victim (of crime) makes _______ (1) to the police, before starting a criminal investigation. Then the police interview the complainant and write a ______ (2) about the crime. Finally, the _____ (2) is processed and management decides to start an investigation or log the information in a police _____ (database of previous crimes)

allegation; report; blotter;

Most important policies define rules for using the company's computers and networks. Known as ________

an "Acceptable use policy"

Businesses are advised to specify _____ who has the power to initiate investigations

an authorized requester

Data in a forensics acquisition tool is stored as ___

an image file

When statutes don't exist, ____ is used

case law

In the private sector, incident scene is often in a _____ and _____ area

contained and controlled

Public-sector investigations focus more on ________ and ________ while private-sector investigations focus more on _______

criminal investigations and prosecution; policy violations;

Professional conduct - includes ______, ______ and ________

ethics, morals, and standards of behavior

RAID 10 (1+0), or mirrored striping

•Combination of RAID 1 and RAID 0 •Provides fast access and redundancy

Case law

made when an appellate court endorses a rule to be used in deciding court cases. -Allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws

_______ command formats a FAT file system from Linux

mkfs.msdos

•Non-government organizations (NGO) must comply with state _______ and federal ________ laws

public disclosure; Freedom of Information Act (FOIA)

Businesses can reduce the risk of litigation by ...

publishing and maintaining policies that employees find easy to read and follow

Occasionally, a RAID system is too large for a static acquisition. In those situations ...

retrieve only the data relevant to the investigation with the sparse or logical acquisition method

RAID 15 (1+5)

•Combination of RAID 1 and RAID 5 •More costly option

A criminal investigation usually begins when ...

someone finds evidence of or witnesses a crime

Line of authority

states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

ASR Data SMART

•A Linux forensics analysis tool that can make image files of a suspect drive •Can produce proprietary or raw format images •Capabilities: •Data reading of bad sectors •Can mount drives in write-protected mode •Can mount target drives in read/write mode •Compression schemes to speed up acquisition or reduce amount of storage needed

Your budget

•Amount of available floor space •Number of computers you assign to each computing investigator

RAID 1

•Designed for data recovery •More expensive than RAID 0

Remote connection security features

•Password protection •Encryption •Secure communication protocol •Write-protected trusted binaries •Digital signatures

PDServer remote agent

•ProDiscover utility for remote access •Needs to be loaded on the suspect

HAZMAT guidelines

•Put the target drive in a special HAZMAT bag •HAZMAT technician can decontaminate the bag •Check for high temperatures

Best evidence rule states:

•To prove the content of a written document, recording, or photograph, ordinarily the original file is required

Validating dcfldd acquired data

•Use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512 •hashlog option outputs hash results to a text file that can be stored with the image files •vf (verify file) option compares the image file to the original medium

RAID 3

•Uses data stripping and dedicated parity •Requires at least three disks

Completing a case

- You need to file a final report that has conclusive evidence - the suspect did or did not commit a crime/ violate a company policy - Your findings need to be repeatable

Affidavit

- a sworn statement of support of facts about or evidence of a crime

During private investigations, you search for evidence to support allegations of violations of a company's rules or an attack on its assets Three types of situations are common:

-Abuse or misuse of computing assets -E-mail abuse -Internet abuse

Advantages and disadvantages of raw format

Advantages •Fast data transfers •Ignores minor data read errors on source drive •Most computer forensics tools can read raw format Disadvantages •Requires as much storage as original disk or data •Tools might not collect marginal (bad) sectors