Forensics final
What is a block chain
-A distributed database hardened against tampering or revision -Each block contains a hash of the prior block, forming a block chain, making it extremely difficult (some say impossible) to add/remove/reorder blocks without being detected (Merkel trees, i.e. hash of a hash)
32bit
-Address up to 4,294,967,295 bytes, Limmited to 4GB of RAM, Referred to as x86
What is a block
-Fundamental building block consisting of one or more timestamped transaction records (either public or private versions) -In an encrypted, private block, each record type has its own encryption key to keep transactions private -Originally contained only data, more recent versions include executables
What is RFC 2822
-Standard for email format, including headers. -All email programs use same email format
4th Amendment
-The Fourth Amendment to the U.S. Constitution as well as state requirements govern the seizure and collection of any email messages that reside on a sender's or recipient's computer or other device. Does the person on whose computer the evidence resides have a reasonable expectation of privacy on that computer? If so, the Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner. -§The Fourth and Fifth Amendments to the U.S. Constitution •Note border control policy on phone inspection is an exception •Border control can seize electronic devices & make copies for later forensic analysis without a warrant or suspicion of wrongdoing Lawyers, medical professionals, and journalists can say they have privileged, confidential files but there is no guarantee agents will recognize it as a deterrent
How does Email work?
1.Sender uses a mail client to send a message 2.Message travels to multiple mail servers •Each mail server sends the message closer to its destination 3.Destination mail server stores the message 4.Receiver uses a mail client to retrieve the message from mail server
18 U.S.C 2252B
18 U.S.C. 2252B •This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. •This is a very serious concern, and one that sometimes arises in child predator cases.
What is POP3
Post Office Protocol version 3
Hierarchy of memories
Programmers want memory to be fast, large, and cheap, as memory speed often shapes performance, capacity limits the size of problems that can be solved, and the cost of memory today is often the majority of computer cost. Architects have found that they can address these conflicting demands with a hierarchy of memories, with the fastest, smallest, and most expensive memory per bit at the top of the hierarchy and the slowest, largest, and cheapest per bit at the bottom. Caches give the programmer the illusion that main memory is nearly as fast as the top of the hierarchy and nearly as big and cheap as the bottom of the hierarchy. We use a layered triangle icon to represent the memory hierarchy. The shape indicates speed, cost, and size: the closer to the top, the faster and more expensive per bit the memory; the wider the base of the layer, the bigger the memory.
SMTP port and SMTPS port
SMTP:25 and SMTPS:465
Queue
First in first out
Morris Worm
First major internet worm, 1988 disabled 10% of internet computers, Used several attacks
Master boot record (MBR)
A master boot record is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives
Performance via pipelining
A particular pattern of parallelism is so prevalent in computer architecture that it merits its own name: pipelining. For example, before fire engines, a "bucket brigade" would respond to a fire, which many cowboy movies show in response to a dastardly act by the villain. Th e townsfolk form a human chain to carry a water source to fi re, as they could much more quickly move buckets up the chain instead of individuals running back and forth. Our pipeline icon is a sequence of pipes, with each section representing one stage of the pipeline.
Buffer overflow vulnerability
A program fails to keep track of its input, the input data modifies RAM that it should not, Attacker can take over the computer if the wrong RAM gets modified
64bit
Adress up to 18446744073709551616 bytes, Referred to as x64
Use Abstraction to Simplify Design
Both computer architects and programmers had to invent techniques to make themselves more productive, for otherwise design time would lengthen as dramatically as resources grew by Moore's Law. A major productivity technique for hardware and soft ware is to use abstractions to represent the design at different levels of representation; lower-level details are hidden to off er a simpler model at higher levels. We'll use the abstract painting icon to represent this second great idea.
Communication Assistance for Law Enforcement Act (CALEA)
CALEA is a U.S. wiretapping law. Its purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.
Dependability via redundancy
Computers not only need to be fast; they need to be dependable. Since any physical device can fail, we make systems dependable by including redundant components that can take over when a failure occurs and to help detect failures. We use the tractor-trailer as our icon, since the dual tires on each side of its rear axels allow the truck to continue driving even when one tire fails. (Presumably, the truck driver heads immediately to a repair facility so the fl at tire can be fixed, thereby restoring redundancy!)
How is memory capacity and addressing limitation
Determined by two factors 1. Number of bits in the address register pLMC = 100 (00 to 99) p2K where K = width of the register in bits 2. Size of the address portion of the instruction p4 bits allows 16 locations p8 bits allows 256 locations p32 bits allows 4,294,967,296 or 4 GB p64 bits allows 16 billion gigabytes
Performance via prediction
Following the saying that it can be better to ask for forgiveness than to ask for permission, the next great idea is prediction. In some cases it can be faster on average to guess and start working rather than wait until you know for sure, assuming that the mechanism to recover from a misprediction is not too expensive and your prediction is relatively accurate. We use the fortune-teller's crystal ball as our prediction icon.
BlockChain
Fully connected peer-to-peer network, Chain code runs on all peers which share the transaction ledger, Ledger contains a complete record of all transactions, Permanent immutable record of all transactions kept at all nodes
What is IMAP
Internet Message Access Protocol
IMAP vs POP3
Latest version of IMAP is similar to POP3 but supports more features
Make the common case fast
Making the common case fast will tend to enhance performance better than optimizing the rare case. Ironically, the common case is oft en simpler than the rare case and hence is oft en easier to enhance. This common sense advice implies that you know what the common case is, which is only possible with careful experimentation and measurement. We use a sports car as the icon for making the common case fast, as the most common trip has one or two passengers, and it's surely easier to make a fast sports car than a fast minivan.
Memory vs CPU
Memory is slow compared to CPU processing speeds §2Ghz CPU = 1 cycle in ½ of a billionth of a second §70ns DRAM = 1 access in 70 millionth of a second
Windows swap file extensions
Old: .swp New: pagefile.sys since XP
POP3 and POP3(Secure) ports
POP3:110 and POP3(secure):995
What is SMTP
Simple Mail Transfer Protocal
Performance via parallelism
Since the dawn of computing, computer architects have offered designs that get more performance by performing operations in parallel. We'll see many examples of parallelism in this book. We use multiple jet engines of a plane as our icon for parallel performance.
Windows file swap
Special place on hard disk where items from memory can be temporary stored for fast retrieval Found in root directory referred to as virtual memory used to arrange RAM on computer without regard to specific data structures.
How can emails be faked?
Spoofing, Anonymous remailing and "valid" emails
Volatile Memory
Stack (S)—Allocated based on the last-in, first-out (LIFO) principle. When the program is running, program variables use the memory allocated to the stack area again and again. This segment is the most dynamic area of the memory process. The data within this segment is discrepant and influenced by the program's various function calls. Heap (H)—A process may use a memory allocator such as malloc to request dynamic memory. When this happens, the address space of the process expands. The data in the heap area can exist between function calls. The memory allocator may reuse memory that has been released by the process. Therefore, heap data is less stable than the data in the data segment.
CAN-SPAM Act
The CAN-SPAM Act This was the first law meant to curtail unsolicited email, referred to as spam. However, the law has loopholes. •You do not need permission before sending email. This means that unsolicited email is not prohibited. •It applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the Act. The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out. Restrictions on how the sender can acquire the recipient's email address and how the sender can actually transmit the email: •A message cannot be sent through an open relay. •A message cannot be sent to a harvested email address. •A message cannot contain a false header. These methods are often used by people who send spam email. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party's servers. This makes prosecuting spam very difficult and enforcing a judgment almost impossible in most cases.
Electronic Communications Privacy act
The Electronic Communications Privacy Act If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers. The ECPA requires different legal processes to obtain specific types of information: •Basic subscriber information—This information includes name, address, billing information, telephone number, etc. An investigator can obtain this type of information with a subpoena, court order, or search warrant. •Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant. •Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails. •Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.
How to fake an email
Use free public Wifi (at least hour away from home), Spoof IP address and MAc address, Send email through anonymous email account. Some may not spoof IP, MAC address or email address. May use PC.
What is POP3 used for
Used to receive email •Designed to delete email on server as soon as user downloads email
What is IMAP used for
Used to receive email. Users view email on server, decide whether to download the mail; email is retained on server
What is SMTP used for
Used to send email from client to mail server and between servers
The USA PATRIOT Act
The USA PATRIOT Act of 2001 was passed into law as a response to the terrorist attacks of September 11, 2001. The Act: •Reduced restrictions on law enforcement agencies' intelligence gathering within the United States •Expanded the Secretary of the Treasury's authority to regulate financial transactions •Broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts •Expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the PATRIOT Act's extended law enforcement powers can be applied In May of 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups. The PATRIOT Act gives law enforcement dramatically enhanced powers for information gathering and should be a part of the knowledge base for any forensic investigator.
Host protected area (HPA)
The host protected area is an area of a hard drive or solid-state drive that is not normally visible to an operating system.
Design for Moore's Law
The one constant for computer designers is rapid change, which is driven largely by Moore's Law. It states that integrated circuit resources double every 18-24 months. Moore's Law resulted from a 1965 prediction of such growth in IC capacity made by Gordon Moore, one of the founders of Intel. As computer designs can take years, the resources available per chip can easily double or quadruple between the start and finish of the project. Like a skeet shooter, computer architects must anticipate where the technology will be when the design finishes rather than design for where it starts. We use an "up and to the right" Moore's Law graph to represent designing for rapid change.
Foreign Intelligence Surveillance Act (FISA)
This U.S. law prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism. The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies' approaches to information gathering. It has been amended frequently so it is important to stay current on the latest revisions and court cases.
Offline vs volatile data analysis
Toolkits are available for collecting volatile memory data. These automated programs run on live systems and collect transient memory data. A major drawback of these tools is that they rely on the underlying operating system. Running them on a compromised system could affect the collected data's reliability. Maintaining data consistency is a problem with live system forensics in which data is not acquired at a unified moment. If a system is running, it is impossible to freeze the machine's state in the course of data acquisition. Even the most efficient method introduces a time difference between the moment you acquire the first bit and the moment you acquire the last bit.
Rule of thumb
Where did picture come from? has it been resaved, resized, or altered. Not much info from a low resolution image. repeatedly saved images can be compressed artifacts will be less detailed. Don't modify data: get it from original source. scans and screenshots get-rid of metadata and add artifacts. Don't extract frames from video. -The highest quality video is typically lower quality than a low quality JPEG. -Video players scale the picture & alter image colors -Extracting frames from video removes original meta-data, yielding a low quality image that has been significantly post-processed, and is unlikely to provide useful information.
Operand
computers, an operand is the part of a computer instruction that specifies data that is to be operating on or manipulated and, by extension, the data itself. Basically, a computer instruction describes an operation (add, subtract, and so forth) and the operand or operands on which the operation is to be performed. 2) In mathematics, an operand is the object of a mathematical operation.
How do you find out who sent anonymous mail?
must examine logs maintained by remailer or anonymizer companies
How to protect data at border crossing?
only take what you need. cant search what you don't have. use encryption. Completely turn off device.
Double exposure
overlays two images to make one William H Mumler "sprite photographer", trail for fraud 1869. subjects in photos where actually alive.
What to evaluate
photo, not the content. can tell if photo is altered.
IMAP port
port:143
Opcode
portion of a machine language instruction that specifies what operation is to be performed by the central processing unit
how to know if image is modified
use null hypothesis. Is the image from the original camera, or is it modified. detectable modifications identify a false hypothesis. if you cant show its not original than it was re-saved or modified.
What are the 8 great ideas in computer architecture?
§Design for Moore's Law §Abstraction to Simplify Design §Make the Common Case Fast §Performance vs Parallelism §Performance vs Pipelining §Performance vs Prediction §Hierarchy of Memories §Dependability via Redundancy
§SRAM (static RAM)
§Faster and more expensive than DRAM §Volatile §Small amounts are often used in cache memory for high-speed memory access
Metadata
§Free online tools like metapicz.com §Missing data (like camera type and exposure settings) is suspicious §Just finding Adobe Photoshop isn't a smoking gun...many professional photographers will edit their images in legitimate ways
§Flash Memory
§Inexpensive nonvolatile secondary storage §Useful for nonvolatile portable computer storage, digital cameras, tablets, smartphones §Slower rewrite time compared to RAM
§DRAM (Dynamic RAM)
§Most common, cheap, less electrical power, less heat, smaller space Volatile: must be refreshed (recharged with power) 1000's of times each second
SIMD instructions
§Multimedia applications, like modifying an image, often use SIMD instructions (i.e. they perform a single operation on multiple pieces of data simultaneously
Instruction Elements
§OPCODE: task §Source OPERAND(s) §Result OPERAND §Location of data (register, memory) pExplicit: included in instruction pImplicit: default assumed
Parallel vs. Serial Buses
§Parallel §High throughput because all bits of a word are transmitted simultaneously §Expensive and require a lot of space §Subject to radio-generated electrical interference, which limits their speed and length §Generally used for short distances such as CPU buses and on computer motherboards §Serial §1 bit transmitted at a time §Single data line pair and a few control lines §For many applications, throughput is higher than for parallel because of the lack of electrical interference
Bus Categorizations
§Parallel vs. serial buses §Direction of transmission §Simplex - unidirectional §Half duplex - bidirectional, one direction at a time §Full duplex - bidirectional simultaneously §Method of interconnection §Point-to-point - single source to single destination pCables - point-to-point buses that connect to an external device §Multipoint bus - also broadcast bus or multidrop bus pConnect multiple points to one another
Multiple Data Instructions
§Perform a single operation on multiple pieces of data simultaneously §SIMD: Single Instruction, Multiple Data §Commonly used in multimedia, vector and array processing applications
Program Control Instructions
§Program control §Jump and branch §Subroutine call and return §Return address often stored on a stack
ROM
§Read-only Memory Holds software that is not expected to change over the life of the system such as firmware used for the system BIOS
Stack Instructions
§Stack instructions §LIFO method for organizing information §Items removed in the reverse order from how they are added
How does anonymous remailing work?
§Suspect sends an email message to an anonymizer •Anonymizer is email server that strips identifying information from message before forwarding it with anonymous mailing computer's IP address
What protects email law
§The Fourth and Fifth Amendments to the U.S. Constitution Also note issues with biometric ID, which is not necessarily protected by these amendmentsWhat type of evidence is a password? §Courts are in relative accord that the Fifth Amendment doesn't protect against the production of physical features or acts. For example, the Fifth Amendment does not bar the compelled production of a person's voice, blood, handwriting or visage; although the features may be incriminating, they have no testimonial or communicative nature. §The government can compel you to produce a biometric password §Passwords/passcodes offer greater privacy §The Eleventh Circuit in In Re: Grand Jury Subpoena (U.S. v. Doe) held that the government can't compel a person to produce a password unless it knows the person possesses the password and knows, with reasonable particularity, that the device contains incriminating evidence. §Note that all of these examples are subject to change and re-interpretation in the future
Windows registry structure
§The Windows Registry has a structure similar to Windows folders and files. Each main folder is named as a Hive. Each hive contains sub folders called Keys. These keys contain subkeys with configuration values for each software program/system component of the computer. There are five main Hives. UserAssist uses subkeys viewed with Registry viewer and encodded in ROT13
BUS
§The physical connection that makes it possible to transfer data from one location in the computer system to another §Group of electrical or optical conductors for carrying signals from one location to another §Wires or conductors printed on a circuit board §Line: each conductor in the bus §4 kinds of signals 1.Data 2.Addressing 3.Control signals Power (sometimes)
Windows Registry
§Whenever a user installs a software program/application, a hardware or a device driver for a newly connected hardware in a Windows based computer system, the initial configuration settings of these are stored as keys and values in a system defined, central hierarchical database repository called Windows Registry. §During the usage of the software or the hardware, the changes made to these configurations are updated in the registry. Also, the changes made to Control Panel settings, file associations, Windows components and so on, during the use of the computer, are updated in the registry.
How to improve memory accesses
§Wide Path Memory Access pRetrieve multiple bytes instead of 1 byte at a time §Memory Interleaving pPartition memory into subsections, each with its own address register and data register §Cache Memory
slurred images
§similar to a photograph of a moving object. In the context of live forensic acquisition, a slurred image is the result of acquiring a file as it is being updated.
Heap
•A heap is a complete binary tree in which each element is less than or equal to both of its children •So a heap has both structural and ordering constraints •As with binary search trees, there are many possible heap configurations for a given set of elements •The application's data that needs to be dynamically allocated is stored within the region called the heap. •Unlike data allocated on the stack, which persists only for the scope of a function, the data allocated within the heap can persist for the lifetime of the process. •Common examples of interesting data that you can find in the heap include -data read from files on disk -data transferred over the network -input typed into a keyboard •Due to the nature of data stored within it, the heap can provide valuable evidence during forensics investigations. Because the data can be application dependent, manual analysis might be required, such as viewing data with a hex editor or by extracting strings for further examination.
What is a stack?
•A stack is a classic collection used to help solve many types of problems •A stack is a linear collection whose elements are added in a last in, first out (LIFO) manner •That is, the last element to be put on a stack is the first one to be removed •Think of a stack of books, where you add and remove from the top, but can't reach into the middle
Linked Structures
•An alternative to array-based implementations are linked structures •A linked structure uses object references to create links between objects •Recall that an object reference variable holds the address of an object (indicating where the object is stored in memory) •Usually, the specific address in memory is not relevant. •So instead of showing addresses, we depict a reference variable as a name that "points to" an object. •This type of reference variable is called a pointer.
Brewers therom or CAP therom
•Impossible to simultaneously provide all three of the following guarantees: -Consistency (all nodes see the same data at the same time) -Availability (every request receives a response about whether it succeeded or failed) -Partition fault tolerance (the system continues to operate despite arbitrary partitioning due to network failure) •Blockchain provides eventual consistency (i.e. the transaction legers from all participants will be consistent after some period of time elapses, between ms and seconds in most cases; Bitcoin recommends waiting until 5 more transactions have completed) •Smart Contracts are another practical example
Coded Messages
•Let's use a queue to help us encode and decode messages •A Ceasar cipher (or variants like ROT13 which is used in Windows registry) encodes a message by shifting each letter in a message by a constant amount •However, this is fairly easy to break; an improvement can be made by changing how much a letter is shifted depending on where the letter is in the message
Variables and the Stack/Heap
•Local Variables live on the stack, in the frame corresponding to the method where the variable is declared •Object reference variables work just like primative variables-if the reference is declared as a local variable, it goes on the stack •All Objects live on the heap, regardless whether the reference is a local or instance variable •The values of an object's instance variables live inside the object, on the heap.
Priority Queues
•Recall that a FIFO queue removes elements in the order in which they were added •A priority queue removes elements in priority order, independent of the order in which they were added •Priority queues are helpful in many scheduling situations •A heap is a classic mechanism for implementing priority queues
Stack frames
•Stack Frames hold the state of the method, including which line of code is executing, and the values of all the local variables public void doStuff(){ boolean b=true; go(4); } public void go (int x) { int z= x+24; crazy(); } public void crazy () { char c= 'a'; } •Analysis of remnant and active stack frames are extremely useful during memory forensics because they provide valuable insight into which code was being executed and what data was being processed. •For example, -keys can be passed to encryption routines -stolen data from the computer (keystrokes, file contents) can be sent to functions for exfiltration •During malware analysis, stack frames can be used to infer what part of the malware was active and what parts of the system the malware was interacting with.
What is a Stack and Heap
•The Stack and the Heap are two areas of memory created by the Java Virtual Machine •The Stack contains method invocations and local variables •The Heap contains objects, and is cleared by the Garbage Collector