Forensic Overview

1
Forensic Overview
Session 6 (410-510pm) Jeffrey Savoy, CISSP
EnCE Information Security Officer University of
Wisconsin Madison
2
Overview

• Background
• Digital Preservation
• Digital Analysis

3
Background
Definitions Digital Investigation Answer
questions about digital events Digital Forensic
Investigation Answer questions about digital
events so the results are admissible in court
4
Background

• Sample forensic considerations
• Chain-of-Custody
• Prevent cross contamination during exam
• Wide acceptance of investigative techniques?
• Can the findings be duplicated?

5
Background

• Examples of digital investigation cases
• Electronic harassment (google, email, etc)
• Fraud (spreadsheets, etc)
• Illegal pornography
• Stolen computer recovery
• Assist in identifying owner
• Hacking (software, victim machines see files)

6
- Media Acquisition
7
- Media Acquisition
- Answer questions
8
- Media Acquisition
- Answer questions
- Ensure answers are correct to the extent
possible
9
- Media Acquisition
- Answer questions
- Ensure answers are correct to the extent
possible
Full process recommended in forensics but may
take short-cuts in some investigations, eg skip
directly to evidence analysis on live system
10
Digital Investigation Tools A wide variety of
tools exist and may operate at one of more
levels of the investigative process, eg
Preservation Analysis
Approximate plugs-ins, etc
11
Digital Investigation Tools Whatever tools
that you choose make sure to obtain training and
test to gain experience.
Illustrate the investigative process primarily
with Encase.
12
Evidence Preservation

• Sample guidelines
• Preserve original evidence and work on copy
• of data
• Digital data is fragile, obtain with minimal
• disturbance
• Results should be repeatable
• Take good notes!

13

• Evidence Preservation
• Traditionally obtain an exact copy of data on
  media that survives at power down
• Higher level of certainty
• Possibly capture the state of a live system
• Lower level of certainly due to side effects but
  may lead to more understanding

14
Evidence Preservation

• Where is the evidence?
• Hard drives
• USB Thumb drives
• CDROMs
• Floppy diskettes
• Palm Pilot
• Memory

15
Evidence Preservation
Rule of thumb Acquire data at the lowest
level that you believe that there may be useful
evidence Addresses the differences between
file preservation, eg backups and a sector by
sector low level image
16
Evidence Preservation

• Implement media write blockers during
  acquisition
• Prevent changes to evidence
• Sit between forensic machine and media
• SCSI, sATA, IDE, etc

17
Evidence Preservation
Implement write blocker bridges
firewire/usb - IDE/sATA/SCSI/etc Full kit
approximately 1,500
18
Evidence Preservation

• Network Acquisition
• Prevent writes to evidence
• Sometimes best option, eg RAID array

19
Evidence Preservation
Palm Acquisition
20
Evidence Preservation
Raw image Only data from the source
media Example dd Embedded image Includes
additional descriptive data, eg hash values,
case notes, etc Example Encase evidence
file Review examples
21
Evidence Preservation
dd Native to Unix/Linux Available for
Windows Copies chunks of data from one file
and writes it to another. Only knows about
files and not file systems, disks, etc.
22
Evidence Preservation
dd examples Create an image of hard drive dd
if/dev/hda bs2k ofraw.img Calculate md5
checksum of drive dd if/dev/hda bs2k
md5sum Preserve memory in Windows dd
if\\.\physicalmemory ofcmemory.dd bs47 \\.\
windows way to accessing device file
23
Evidence Preservation
Encase example

• Highlights
• File segment size
• Compression

24
Evidence Preservation
Compare the acquisition hash
To manually calculated hash at any time
Values agree -
25
Evidence Preservation
Quick review Acquire media with hardware write
blockers. Examples of dd and Encase Move to
Evidence Analysis
26
Evidence Analysis

27
Evidence Analysis

28
Evidence Analysis

29
Evidence Analysis
Quick Definitions Sectors Clusters MBR Alloca
ted vs Unallocated Clusters File Slack

30
Evidence Analysis
Sectors and Clusters Sectors The smallest
addressable unit on a hard drive, typically
512 bytes Clusters The smallest allocation
unit by the operating system made up of
groups of sectors

31
Evidence Analysis
Master Boot Record (MBR) In PCs boot code
exists in first 446 bytes of the first
sector. The last bytes contain information on
the first four partitions. Boot process gets
code from the MBR and then looks for the first
bootable partition location and find additional
boot code from there.

32
Evidence Analysis
Allocated vs Unallocated Space File systems
like FAT/NTFS reserve clusters for use. As fill
with files, the clusters become allocated.
As files are removed, the clusters
become unallocated and again available for use
by the file system. Thus, unallocated space
may contain useful information in an
investigation.

33
Evidence Analysis
File Slack The file system pre-allocates space
for individual files (clusters). If a file does
not occupy the full space, the end is slack.
This slack may contain information from the
previous file. Similar to recording an hour
length show on VHS tape and overwriting with an
30 min show. Note that File Slack is allocated
space.
34
Evidence Analysis
Encase displays file slack as red text
May find tidbits
35
Evidence Analysis
Encase view of sample PC media Note MBR, FAT,
Allocated/Unallocated

36
Evidence Analysis
Encase view of Sector 0 containing the MBR

37
Evidence Analysis
We can sweep 64 bytes on sector offset 446 to
manually confirm the partition information

38
Evidence Analysis
Use Encase Bookmark to translate to the
partition information.
Type

Status 80 is the bootable partition -in this
case the NTFS partition
39
Evidence Analysis
Encase report view of same disk confirms
the information.

40
Evidence Analysis
What happens if the partition table is gone (on
purpose or otherwise)?
The Encase view

Note that no logical volumes shown (C D) and
all gray clusters
41
Evidence Analysis
Search for common beginnings of partitions
starting at sector 63 MSWIN4.0 - Windows 98
FAT MSWIN5.0 - Windows 2000, XP FAT NTFS -
Windows NTFS

42
Evidence Analysis
Now inform Encase that we believe that this
location contains a NTFS partition

43
Evidence Analysis

The volume now appears - Can save to Encase
case to retained after shut down.
44
Evidence Analysis
In reviewing files, Encase provides the below gui

Note ability to sort columns and files listed out
45
Evidence Analysis

• Encase GUI provides the ability to filter
• Used to view files based on supplied criteria
• Can be used to reduce many thousands of files to
• more manageable level

Example of listing only Word docs
46
Evidence Analysis
Searches Major activity in many
investigations Decide on text terms or patterns
47
Evidence Analysis

• When doing text/pattern searches
• usually also run
• File signature verification
• Review file headers
• Hash computation
• Compute hashes
• on all files
• Review both in moment

48
Evidence Analysis
Search hits displayed along with their locations
on the media
Note keyword hits in unallocated clusters
49
Evidence Analysis
File Signature verification
Encase can compare each file header to library
of over 220 unique known signatures in order to
determine file type, eg .doc, .jpg, etc
How is this useful?
50
Evidence Analysis
Case one
A file header matches a known value but
the extension does not match
Can assist in finding files with changed
extensions For example renaming a .jpg file with
a .txt extension
Can do for every file and quick sort to
search for inconsistencies
51
Evidence Analysis
Case two
A file header matches a known value but the file
does not have an extension
Encase will act consistent with header when file
is double clicked, eg launch Excel for a file
matching Excel header
Encase will act consistent with header when file
is viewed, eg Gallery view will display pictures
even though no extensions Useful for file
systems with Macintosh HFS file system
52
Evidence Analysis
Hash computation Calculate the MD5 hash of
every file
53
Evidence Analysis
Hash computation

• Uses
• Find specific file
• Third party may provide hashes to search
• Malware, illegal images, etc
• Filter known files
• Faster searches! Example

54
Evidence Analysis
Import NIST known OS md5 hashes available on
their web site
55
Evidence Analysis
Encase now indicates known files ( used for
sorting purposes)
56
Evidence Analysis
Now use an Encase Filter to remove these files
from view and searches
In this case, reduced 21,085 files to 14,787 30
less files to search!
57
Evidence Analysis
Data Carving within Encase
Can matching headers/footers/file size/etc and
search through unallocated space and carve out
file and save to forensic machine for
review Commonly search for jpegs, html,
etc Since searching through unallocated space,
the Files found may not be compete
Encase provides EnScript to do (similar to C)
58
Evidence Analysis
Run EnScript
59
Evidence Analysis
Carve out any found jpegs in the
unallocated clusters Likely include
incomplete jpegs since may have been overwritten
60
Evidence Analysis
Recovery of deleted files
61
Evidence Analysis
Example of wiping files in software Encrypt
existing folder using Microsoft Encrypting File
System (EFS). Note TMP artifact left after
conversion
Use the cipher command to wipe directory
Result
62
Evidence Analysis
Recycle Bin Windows 98, NT, 2000, XP The
default process when a file is moved to
the Recycling bin. 1. New file entry in Recycle
Bin 2. Additional about the file in a
hidden system file named INFO2 Most important
can be the delete date and time
63
Evidence Analysis
Each INFO2 record 800 bytes When the file is
deleted, the file is remove as well as the
corresponding INFO2 record both of which may be
recoverable
Example..
64
Evidence Analysis
INFO2 file found in the recycler bin
Can sweep 800 bytes
Bookmark to display information
65
Evidence Analysis

Encase allows the ability to export the
acquired files as a windows share on forensic
machine. How may this be useful?
66
Evidence Analysis
This is useful to allow third party tools to
analyze the export share of suspect files, most
commonly anti-virus software Example

67
Evidence Analysis
Virus Checking of suspect drive

68
Evidence Analysis
View web cache
View browser history
69
Evidence Analysis
Windows Artifacts
Documents and Settings/USER/
Recent/ Recently accessed files, programs,
etc Stored at this location as link files.
Print spooler Past printouts written to
disk Search for EMF files in unallocated space
70
Event reconstruction

• Restoring evidence
• Export programs to run on forensic machine
• Boot into suspects drive
• Commonly use VMware

71
Event reconstruction
Encase allows acquired files to be exported as a
physical disk
72
Event reconstruction
VMware can use Encase embeded image directly and
allow virtually booting into suspect drive
73
Event reconstruction
Use software to reset password to allow access
74
Questions?
Pick up your certificates downstairs!
75
Resources
Windows Forensics and Incident Recovery,
Carvey File System Forensic Anaylsis,
Carrier Forensic Discovery, Farmer,
Venema Windows dd http//users.erols.com/gmgarner
/forensics Encase http//www.guidancesoftware.com
FTK http//www.accessdata.com/Product04_Overview.h
tm?ProductNum04 Ultimate Write Blocker Kit
http//www.forensicpc.com/products.asp?cat13 NIST
Hashes http//www.nsrl.nist.gov/Downloads.htm The
Sleuth Kit (TSK) http//www.sleuthkit.org/