Week 4 Digital Forensics
OTHER devices that present interest from forensic POV
1.Answering machines including VoIP boxes 2.Gaming systems such as Xbox, PlayStation and Wii 3.Access control systems and devices 4.Credit card readers/skimmers and encoders 5.Other devices with user-driven storage capability: watches, pagers, calculators 6.Digital cameras 7.Any sound or video recorders 8.Car entertainment systems including GPS 9.Dashboard cameras etc.
Quality assurance (QA) The examiners have to submit to proficiency testing •There are 4 categories of proficiency testing:
1.Open Test - analysts and technical support are aware of being tested 2.Blind Test - the analyst and technical support are not aware of being tested 3.Internal Test - conducted by the agency/lab itself 4.External Test - conducted by an external lab/agency
•QA can be divided in two processes:
1.Technical Review - are the results supported by the evidence? 2.Administrative Review - is the process and the paperwork correct and complete?
Quality Assurance (QA)
Quality Assurance refers to administrative and procedural activities implemented in a quality system so that requirements and goals for a product, service or activity will be fulfilled
Quality assurance (QA)•Two areas of great interest:
Tools and Documents
Virtual labs need
to be able to deal with this aspect as by the very definition of the virtual lab a network connection must exist.
•SWGDE's set of competencies
•1. Pre-examination procedures and legal issues •2. Media assessment and analysis •3. Data recovery •4. Specific analysis of recovered data •5. Documentation and reporting •6. Presentation of findings
Principles of RISK Analysis •Complete Security Solution
•1. unplug network cable •2. encrypt the data with strong encryption •3. delete the encryption key •4 delete and forget password(s) •5. unplug the power •6. lock computer in a vault •7. cover vault with thick concrete
•Standards for Hardware Write Blockers (HWB)
•A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device. •An HWB device shall return the data requested by a read operation. •An HWB device shall return without modification any access-significant information requested from the drive. •Any error condition reported by the storage device to the HWB device shall be reported to the host
•Accreditation vs certification
•Accreditation focusing on an entity such as lab Certification focusing on an individual
Accreditation
•Accreditation is an endorsement of a crime lab's policies and procedures •The American Society of Crime Laboratory Directors/ Laboratory Accreditation Board (ASCLD/ LAB) is recognized as a world leader in the accreditation of forensic laboratories. - world-wide accreditation •Accreditation is desirable but not mandatory •Objectives: •1. improve the quality of laboratory services provided to the criminal justice system. •2. develop and maintain criteria that may be used by a laboratory to assess its level of performance and to strengthen its operation. •3. provide an independent, impartial, and objective system by which laboratories can benefit from a total operational review. •4. offer to the general public and to users of laboratory services a means of identifying those laboratories that have demonstrated that they meet established standards •
•Additional details to the report:
•All additional files •Files that support findings •Emails, and other artifacts •Search results •Evidence of ownership of device!!!!! •Glossary!!!!!!
Principles of RISK Analysis•Assessment of the current structure and associated processes and procedures People
•Competence •Responsibility •Authority
•Standard Operating Procedures (SOP)
•Evidence chain of custody •Examination process •Records keeping •Security
Storage
•Evidence should be stored in special data safes •Data safes are able to keep media at constant temperature and protect from theft and fire •Electromagnetic evidence should be kept in Faraday bags •Access to evidence safes should be controlled by electronic and/or biometric means and logs need to be completed. •Audit trail wins trust in court!
Quality assurance (QA) Examiner's Final Report:
•Identity of the Reporting Agency •Case ID number •Case investigator •Date of receipt of case and report •Detailed description of evidence including serial numbers, makes, models, photos, etc. •Identity of examiner •Description of the steps Results and conclusion
Digital forensic tools•Software (open Sources, Licensed)
•Imagers •Analyzers •File carvers, etc.
Principles of RISK Analysis•Threats to information
•Integrity - data corruption intentional or unintentional •Authenticity - is the data presented authentic or "fake"?; sometimes in conjunction with integrity •Confidentiality- public vs non public •Availability - ability to access data. Blocking data access through illegitimate access control, denial-of-service attack, etc.
•RCMP Integrated Technological Crime Unit (C Division) fulfill the following four mandates:
•Lead the investigative response on pure computer crime investigations i.e., where the computer and/or its contents are the target of a criminal act; •Provide specialized technical investigative services including the search, seizure and analysis of digital and electronic evidence relevant to intelligence gathering and criminal investigations; •Conduct research, development, and validation to produce and deliver investigative tools and utilities for technological crime operations; Develop national policy and provide program management services, including research and analysis to identify trends pertaining to the criminal use of technology.
•Two types of accreditations:
•Legacy •International added requirements such as ISO/IEC 17025:2005 - tech lab certification - specifies the general requirements for the competence to carry out tests and/or calibrations, including sampling
SWGDE SOP Proposal divides in two
•Onsite/Scene Procedures •Laboratory Procedures •SWGDE Model SOP for Computer Forensics v3. •IEEE has a lot of material
Digital forensic tools mobile devices
•Oxygen Forensic Suite - Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. •Cellebrite UFED (over 3,000 phones) •Paraben Corporation (more than 4,000 phones and GPS)
Digital forensic tools
•PCs., servers •high performance equipment similar to the one courtesy of ForensicComputer Inc. •Write Blockers •Wiper •Hard Drive Duplicators (4GB-9GB/minute) •Hardware with firmware password recovery tools or •DNA (Distributed Network Attack) software •Cell phone acquisition devices •Hard drive recovery devices •Portable storage devices •Adapters •Cables, etc.
Digital forensic tools free software
•ProDiscover Basic - allows to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data •Volatility - memory forensics framework for incident response and malware analysis that allows to extract digital artefacts from volatile memory (RAM) dumps: running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, etc. •The Sleuth Kit and Autopsy •CAINE (Computer Aided INvestigative Environment) for Linux environnent •DEFT - Linux tool. tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing. •Xplico - is an open source Network Forensic Analysis Tool (NFAT) on Linux environment. Extracts applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database •Mandiant RedLine - memory and file analysis of a specific host •PlainSight - Linux platform: viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, etc
Principles of RISK Analysis•Assessment of the current structure and associated processes and procedures•Devices
•Process to acquire technology •Process to install/implement technology •Process to maintain technology
•According to Bryan Evans (Is Your Computer Forensic Laboratory Designed Appropriately, May 6, 2015) a lab should have
•Proper electrical infrastructure •Heating, ventilation, AC in its own zone •Soundproofing •Enough workspace to accommodate the analyst and all required tools •Storage both shared and workspace •Network - dedicated line •Security - access control - multiple layers, cameras •Equipment •Toolkits •Imaging hardware and software •Power adapters •Software
Digital forensic tools
•SANS (SysAdmin, Audit, Networking, and Security, www.sans.org) Investigative Forensic Toolkit (SIFT) -> file carving as well as analyzing file systems, web history, recycle bin. It can also analyze network traffic and volatile memory and it can also generate a timeline. •Forensic Toolkit from Access Data (FTK) •EnCase from Guidance Software •X-Ways Forensics - www.x-ways.net/forensics/
•Virtual Labs follow the concept of cloud computing however there are concerns related to that:
•Security - all level security, evidence, tools, user access, etc. needs to be considered otherwise evidence could be inadmissible •Performance - connection and other resources need to be available and plenty otherwise the time to perform analysis is too long •Cost - all comes to money as all the components are expensive
Lab security
•Similar to a potential scene crime labs need to ensure that the evidence is protected. •Access to evidence is controlled •Electronic and biometric access control is suggested over usual mechanical key locks •Chain of custody includes handling of evidence in the lab therefore needs to be ensured that access to evidence is logged, checked-out, checked-in, who and when handled the evidence
•Type of documents:
•Submission forms, Crime scene report, Case report Search authority, Chain of custody record •Examiner's notes should cover all examiner's actions •Discussion notes with lawyers, investigators, etc. •Out of ordinary or irregular activities related to the prescribed actions •Operating systems, software, versions, patches, etc. •Passwords and user IDs Any changes made by the lab or law enforcement staff
Quality assurance (QA) •The report must have two parts:
•The executive portion which contains the explanation in layperson terms •The detailed technical report
Principles of RISK Analysis•Threats
•To take advantage of vulnerabilities both technical and human •External vs internal threats
Quality assurance (QA•Tool Validation
•Tools need to be validated in order to validate the process: •Work properly •Reliable •Yield accurate results •Don't take the manufacturers' word for it!!!!
Principles of RISK Analysis•Governance principles
•Value to Shareholders/Stakeholders •Manage Risk
Principles of RISK Analysis•Risk Management
•Vulnerability •Threat •Risk
Best practice suggests that
•a lab computer where the evidence is analysed should not be connected to the internet. •Possible contamination by access through the internet are removed
In order to protect the rest of the lab
•hard drives brought in as evidence should be checked for viruses at least by one antivirus tool (read-only mode)
Quality assurance (QA)•Documentation
•must be: •Clear •Complete Accurate
Quality assurance (QA)Where possible use
•pre-printed standard forms such as evidence description, chain of custody report, etc.